Ensure Rule Compliance: S3 Buckets Block Public Access
Make sure S3 Buckets have 'Block public access (bucket settings)' configured to prevent unauthorized access.
| Rule | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' |
| Framework | cis_v130 |
| Severity | ✔ High |
Ensure S3 Buckets are Configured with 'Block Public Access (bucket settings)' for CIS v1.3.0
Description
The Center for Internet Security (CIS) AWS Foundations Benchmark v1.3.0 recommends that your Amazon S3 buckets should have the 'Block public access' setting enabled to prevent any inadvertent public exposure of data. The 'Block public access' settings provide layers of protection to ensure that your S3 buckets and objects have the appropriate access controls.
Blocking public access at the bucket level can prevent the following:
- Public ACLs (Access Control Lists) that could make the bucket or objects public
- Grants of permissions to public groups (i.e., any authenticated user or anonymous users)
Troubleshooting Steps
- 1.Login to the AWS Management Console.
- 2.Navigate to the S3 service.
- 3.Click on the bucket you want to examine.
- 4.Find the 'Permissions' tab.
- 5.Check the 'Block public access (bucket settings)' section.
If it is not properly configured, you will need to enable block public access settings.
Remediation Steps
Using AWS Management Console
- 1.Log in to the AWS Management Console.
- 2.Go to the Amazon S3 dashboard.
- 3.Select the bucket for which you want to block public access.
- 4.Go to the 'Permissions' tab.
- 5.Under the 'Block public access (bucket settings)' section, click on the 'Edit' button.
- 6.Check all options to block public access:
- Block new public ACLs and uploading public objects
- Remove public access granted through public ACLs
- Block new public bucket policies
- Block public and cross-account access if bucket has public policies
- 7.Click the 'Save' button.
- 8.Confirm by typing 'confirm' and click the 'Confirm' button.
Using AWS CLI
To block public access for a specific bucket:
aws s3api put-public-access-block \ --bucket YOUR-BUCKET-NAME \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Replace
YOUR-BUCKET-NAMEUsing AWS CLI for All Buckets
If you want to apply this setting to all buckets in your account, you may use the following script:
for bucket in $(aws s3api list-buckets --query "Buckets[].Name" --output text) do aws s3api put-public-access-block \ --bucket $bucket \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" done
Make sure to test any scripts in a non-production environment before deploying them to your production environment to avoid any unintended consequences.
By implementing these settings, you enhance the security posture of your S3 buckets, thereby aligning with the CIS AWS Foundations Benchmark v1.3.0 and protecting your data from unauthorized public access.