S3 Bucket Level Public Access Block

Overview

This check verifies that your Amazon S3 buckets have Block Public Access settings enabled. Specifically, it looks for two settings:

• Ignore public ACLs - Prevents public ACLs from granting access
• Restrict public buckets - Blocks public bucket policies

These settings can be enabled at the bucket level or at the account level (which applies to all buckets).

Risk

Without Block Public Access enabled, your S3 bucket could accidentally become publicly accessible. This can happen if someone:

• Adds a public ACL (Access Control List) to the bucket or objects
• Creates an overly permissive bucket policy

Potential consequences:

• Data breach - Sensitive files could be exposed to the internet
• Data tampering - Unauthorized users might modify or delete your files
• Compliance violations - Many regulations require data to be private

Remediation Steps

Prerequisites

You need permission to modify S3 bucket settings. If you are not the bucket owner, contact your AWS administrator.

AWS Console Method

1. Open the Amazon S3 console
2. Click on the bucket name you want to secure
3. Go to the Permissions tab
4. Scroll to Block public access (bucket settings) and click Edit
5. Check all four boxes:
   • Block all public access
   • Block public access to buckets and objects granted through new access control lists (ACLs)
   • Block public access to buckets and objects granted through any access control lists (ACLs)
   • Block public and cross-account access to buckets and objects through any public bucket or access point policies
6. Click Save changes
7. Type confirm in the confirmation dialog and click Confirm

Tip: To protect all buckets at once, go to S3 > Block Public Access settings for this account in the left sidebar and enable the settings at the account level.

AWS CLI (optional)

Enable all Block Public Access settings for a specific bucket:

aws s3api put-public-access-block \
  --bucket <your-bucket-name> \
  --region us-east-1 \
  --public-access-block-configuration \
    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Replace <your-bucket-name> with your actual bucket name.

To enable at the account level (protects all buckets):

aws s3control put-public-access-block \
  --account-id <your-account-id> \
  --region us-east-1 \
  --public-access-block-configuration \
    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

CloudFormation (optional)

Use the following template to create an S3 bucket with Block Public Access enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Bucket with Block Public Access enabled

Parameters:
  BucketName:
    Type: String
    Description: Name of the S3 bucket

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Outputs:
  BucketArn:
    Description: ARN of the S3 bucket
    Value: !GetAtt S3Bucket.Arn

Deploy the template:

aws cloudformation create-stack \
  --stack-name s3-secure-bucket \
  --region us-east-1 \
  --template-body file://template.yaml \
  --parameters ParameterKey=BucketName,ParameterValue=<your-bucket-name>

Terraform (optional)

Use the following Terraform configuration:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "bucket_name" {
  description = "Name of the S3 bucket"
  type        = string
}

resource "aws_s3_bucket" "example" {
  bucket = var.bucket_name
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

output "bucket_arn" {
  description = "ARN of the S3 bucket"
  value       = aws_s3_bucket.example.arn
}

Apply the configuration:

terraform init
terraform plan -var="bucket_name=<your-bucket-name>"
terraform apply -var="bucket_name=<your-bucket-name>"

Verification

After making changes, verify the settings are applied:

1. In the S3 console, open your bucket and go to the Permissions tab
2. Under Block public access (bucket settings), confirm all four settings show On

CLI verification (optional)

aws s3api get-public-access-block \
  --bucket <your-bucket-name> \
  --region us-east-1

Expected output (all values should be true):

{
    "PublicAccessBlockConfiguration": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": true,
        "BlockPublicPolicy": true,
        "RestrictPublicBuckets": true
    }
}

Additional Resources

• AWS Documentation: S3 Block Public Access
• AWS Documentation: The Meaning of "Public"
• AWS Blog: Amazon S3 Block Public Access

Notes

• Account-level vs. bucket-level: Account-level settings apply to all buckets in your account, including future buckets. This is the recommended approach for most organizations.
• Existing public access: Enabling Block Public Access does not automatically remove existing public ACLs or policies. It only prevents them from granting public access. Review and remove unnecessary public permissions separately.
• Directory buckets: Block Public Access is not supported for S3 directory buckets (used with S3 Express One Zone).
• Service disruptions: If your application intentionally serves public content from S3, enabling these settings will break that functionality. Review your use case before applying.