Rule: Ensure S3 Buckets have 'Block Public Access' configured
This rule ensures that S3 Buckets have 'Block Public Access (bucket settings)' enabled to prevent unauthorized access.
| Rule | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description
The S3 Bucket configuration must have 'Block public access (bucket settings)' enabled to comply with the CIS AWS Foundations Benchmark Version 1.4.0 (cis_v140). This ensures that the bucket and its contents are not publicly accessible.
Troubleshooting Steps
If the S3 Bucket is not configured with 'Block public access (bucket settings)', follow these troubleshooting steps:
- 1.Check the current bucket settings to verify if the block public access feature is enabled or disabled.
- 2.If the block public access is disabled, determine the reason behind it. It could be intentional or a misconfiguration.
- 3.Assess the risk associated with not having the block public access enabled. Determine if the bucket contains any sensitive or confidential data that should not be publicly accessible.
- 4.Determine if there are any legitimate reasons for some objects within the bucket to be publicly accessible. If there are, consider using fine-grained access controls to secure those specific objects instead of enabling public access for the entire bucket.
Necessary Codes
No specific code snippets are required for this rule. The configuration change can be performed through the AWS Management Console or via AWS CLI commands.
Remediation Steps
Follow these steps to enable the 'Block public access (bucket settings)' feature for an S3 bucket:
- 1.
AWS Management Console:
- Open the AWS Management Console and navigate to the S3 service.
- Locate the target bucket and click on its name to access the bucket settings.
- Select the "Permissions" tab.
- Scroll down to the "Block public access" section.
- Click on the "Edit" button.
- Enable all the options under "Block public access" by selecting the checkboxes.
- Click on the "Save changes" button to apply the configuration.
- 2.
AWS CLI:
Open the AWS Command Line Interface (CLI) or AWS CloudShell.
Run the following command, replacing
with the actual name of the S3 bucket:<bucket-name>aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"This command enables the block public access feature with all options set to true, ensuring maximum security against public access to the bucket.
Verification
To confirm that the S3 Bucket is configured with 'Block public access (bucket settings)', follow these steps:
- 1.
AWS Management Console:
- Open the AWS Management Console and navigate to the S3 service.
- Locate the target bucket and click on its name to access the bucket settings.
- Select the "Permissions" tab.
- Scroll down to the "Block public access" section.
- Ensure that all options under "Block public access" are enabled (checked).
- 2.
AWS CLI:
Run the following AWS CLI command, replacing
with the actual name of the S3 bucket:<bucket-name>aws s3api get-public-access-block --bucket <bucket-name> --query "PublicAccessBlockConfiguration"The command output should display all the block public access options with a value of
.true
If the verification steps indicate that the S3 bucket is configured with 'Block public access (bucket settings)' enabled, the remediation process is complete, and the bucket complies with the cis_v140 policy.