Ensure that Static website hosting is disabled on your S3 bucket

Configuring a static website on a S3 bucket requires you to grant public read access to the bucket. To make your bucket publicly readable, you must disable block public access settings for the bucket and write a bucket policy that grants public read access. There is a potential risk of exposure when you turn off block public access settings to make your bucket public, anyone on the internet can access your bucket. We recommend that you block all public access to your buckets.

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.NET.20
Covered by Spectral: Yes
Category: Storage


S3Bucket should not have website.indexDocumentSuffix


From Portal

  1. Sign in to the AWS Management Console and open Amazon S3 dashboard at https://console.aws.amazon.com/s3/.
  2. Choose the name of the bucket for which you want to disable static website feature.
  3. Choose Properties.
  4. Edit Static Website hosting and choose disable.
  5. Save changes.

From TF
While creating a S3 bucket keep ACL private.

resource "aws_s3_bucket" "test" {
	bucket = "s3-website-test.hashicorp.com"
	acl    = "private"
	versioning {
		enabled = true
	- website {
		-   index_document = ...
		-   error_document = ...
	- }

From Command Line
To disable Static website hosting on your S3 bucket, run:

aws s3api delete-bucket-website --bucket BUCKET-NAME


  1. http://docs.aws.amazon.com/AmazonS3/latest/user-guide/static-website-hosting.html
  2. https://docs.aws.amazon.com/general/latest/gr/s3.html
  3. https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset