Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.CFT.IAM.01
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

AWS_S3_Bucket should have PublicAccessBlockConfiguration.BlockPublicAcls=true and PublicAccessBlockConfiguration.BlockPublicPolicy=true and PublicAccessBlockConfiguration.IgnorePublicAcls=true and PublicAccessBlockConfiguration.RestrictPublicBuckets=true

REMEDIATION

From CFT
Set AWS::S3::Bucket PublicAccessBlockConfiguration property to true

References

  1. https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CloudFormation ruleset