S3 Access Point Public Access Block

Overview

This check ensures that your Amazon S3 access points have all four public access block settings enabled. S3 access points provide a simplified way to manage data access at scale, but without proper safeguards, they could accidentally expose your data to the public internet.

The four settings that must be enabled are:

• Block public ACLs - Prevents new public ACLs from being applied
• Ignore public ACLs - Ignores any existing public ACLs
• Block public policy - Prevents new public bucket policies
• Restrict public buckets - Restricts access to buckets with public policies

Risk

Without public access block configurations, your S3 access points could:

• Allow unintended public access to sensitive data through misconfigured ACLs or policies
• Lead to data breaches or exposure of confidential information
• Enable unauthorized data modifications or deletions
• Facilitate large-scale data theft

This is a high severity finding that should be addressed promptly.

Remediation Steps

Prerequisites

You need permission to manage S3 access points. This typically requires the s3:CreateAccessPoint, s3:DeleteAccessPoint, and s3:GetAccessPoint permissions.

AWS Console Method

Important: You cannot modify public access block settings on an existing access point. You must delete and recreate it.

1. Open the Amazon S3 console
2. In the left navigation, click Access Points
3. Find the noncompliant access point and note down:
   • The access point name
   • The associated bucket name
   • Any access point policy (click the access point, then Permissions tab)
4. Select the access point and click Delete
5. Confirm deletion by typing the access point name
6. Click Create access point
7. Enter the same access point name
8. Select the same bucket
9. Under Block Public Access settings for this Access Point, ensure all four options are checked (this is the default):
   • Block all public access
   • Block public access to buckets and objects granted through new access control lists (ACLs)
   • Block public access to buckets and objects granted through any access control lists (ACLs)
   • Block public and cross-account access to buckets and objects through any public bucket or access point policies
10. Click Create access point
11. If you had an access point policy, reattach it under the Permissions tab

AWS CLI (optional)

List access points to find noncompliant ones:

aws s3control list-access-points \
    --account-id <your-account-id> \
    --region us-east-1

Get details of a specific access point:

aws s3control get-access-point \
    --account-id <your-account-id> \
    --name <access-point-name> \
    --region us-east-1

Delete the existing access point:

aws s3control delete-access-point \
    --account-id <your-account-id> \
    --name <access-point-name> \
    --region us-east-1

Create a new access point with public access block enabled:

aws s3control create-access-point \
    --account-id <your-account-id> \
    --name <access-point-name> \
    --bucket <bucket-name> \
    --public-access-block-configuration \
        "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" \
    --region us-east-1

Replace:

• <your-account-id> with your 12-digit AWS account ID
• <access-point-name> with your access point name
• <bucket-name> with your S3 bucket name

CloudFormation (optional)

Use this template to create an S3 access point with public access block enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Access Point with public access block enabled

Parameters:
  BucketName:
    Type: String
    Description: Name of the S3 bucket to attach the access point to

  AccessPointName:
    Type: String
    Description: Name for the S3 access point
    AllowedPattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$
    ConstraintDescription: Access point name must be lowercase and can contain hyphens

Resources:
  S3AccessPoint:
    Type: AWS::S3::AccessPoint
    Properties:
      Bucket: !Ref BucketName
      Name: !Ref AccessPointName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true

Outputs:
  AccessPointArn:
    Description: ARN of the S3 Access Point
    Value: !GetAtt S3AccessPoint.Arn
  AccessPointAlias:
    Description: Alias of the S3 Access Point
    Value: !GetAtt S3AccessPoint.Alias

Deploy the template:

aws cloudformation create-stack \
    --stack-name s3-access-point-secure \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=BucketName,ParameterValue=<your-bucket-name> \
        ParameterKey=AccessPointName,ParameterValue=<your-access-point-name> \
    --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

variable "bucket_name" {
  description = "Name of the S3 bucket to attach the access point to"
  type        = string
}

variable "access_point_name" {
  description = "Name for the S3 access point"
  type        = string
}

resource "aws_s3_access_point" "secure_access_point" {
  bucket = var.bucket_name
  name   = var.access_point_name

  public_access_block_configuration {
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }
}

output "access_point_arn" {
  description = "ARN of the S3 Access Point"
  value       = aws_s3_access_point.secure_access_point.arn
}

output "access_point_alias" {
  description = "Alias of the S3 Access Point"
  value       = aws_s3_access_point.secure_access_point.alias
}

Apply the configuration:

terraform init
terraform apply -var="bucket_name=<your-bucket-name>" -var="access_point_name=<your-access-point-name>"

Verification

After remediation, verify that public access block is enabled:

1. Go to S3 > Access Points in the AWS Console
2. Click on your access point
3. Under the Permissions tab, confirm Block Public Access shows all four settings as On

CLI verification

aws s3control get-access-point \
    --account-id <your-account-id> \
    --name <access-point-name> \
    --region us-east-1 \
    --query 'PublicAccessBlockConfiguration'

Expected output:

{
    "BlockPublicAcls": true,
    "IgnorePublicAcls": true,
    "BlockPublicPolicy": true,
    "RestrictPublicBuckets": true
}

Re-run the Prowler check:

prowler aws --checks s3_access_point_public_access_block

Additional Resources

• AWS Documentation: Managing public access to S3 access points
• AWS Documentation: Using access points
• AWS Documentation: Blocking public access to your Amazon S3 storage
• Prowler Check Documentation

Notes

• Existing access points cannot be modified: The public access block configuration is set at creation time and cannot be changed afterward. You must delete and recreate the access point.
• Access point policies: If your access point had a custom policy, make sure to reattach it after recreation.
• VPC-only access points: For sensitive workloads, consider creating access points that only allow access from a specific VPC using the --vpc-configuration option.
• Account-level settings: Consider also enabling account-level S3 public access block settings for defense-in-depth.
• Compliance frameworks: This check maps to CIS, C5, CCC, GDPR, HIPAA, ISO, KISA-ISMS-P, NIS2, PCI, and SOC2 compliance requirements.