Skip to main content

Block Public Access Settings enabled on Multi Region Access Points

Overview

This check ensures that Amazon S3 Multi-Region Access Points (MRAPs) have all four Block Public Access settings enabled. MRAPs provide a single global endpoint that routes S3 requests to the nearest bucket across multiple AWS regions. Without proper public access controls, this global endpoint could expose your data to the internet.

The four Block Public Access settings are:

  • Block public ACLs - Prevents new public ACLs from being applied
  • Ignore public ACLs - Ignores existing public ACLs
  • Block public policy - Prevents public bucket policies
  • Restrict public buckets - Restricts access to authorized users only

Risk

If Block Public Access is not enabled on a Multi-Region Access Point:

  • Data exposure: Anyone on the internet could potentially list objects or read your data through the global MRAP endpoint
  • Unauthorized writes: Attackers could upload malicious content or tamper with existing data
  • Compliance violations: Publicly accessible data may violate regulatory requirements (GDPR, HIPAA, etc.)
  • Cost impact: Unexpected cross-region data transfer charges from unauthorized access

Important: Once a Multi-Region Access Point is created, its Block Public Access settings cannot be changed. You must delete and recreate the MRAP to fix this.

Remediation Steps

Prerequisites

  • AWS Console access with permissions to manage S3 Multi-Region Access Points
  • The MRAP name that failed the check

AWS Console Method

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/
  2. In the left navigation, click Multi-Region Access Points
  3. Find and note the configuration of the non-compliant MRAP (the buckets it connects to)
  4. Select the non-compliant MRAP and click Delete
  5. Type the MRAP name to confirm deletion and click Delete
  6. Click Create Multi-Region Access Point
  7. Enter a name for your new MRAP
  8. Under Block Public Access settings for this Multi-Region Access Point, ensure all four options are checked:
    • Block all public access (recommended)
    • Or individually enable all four settings
  9. Add the same buckets that were in the original MRAP
  10. Click Create Multi-Region Access Point

Note: MRAP creation takes several minutes to complete. The status will show "Creating" until ready.

AWS CLI (optional)

List existing Multi-Region Access Points:

aws s3control list-multi-region-access-points \
    --account-id <your-account-id> \
    --region us-west-2

Note: All MRAP API operations are routed through us-west-2 regardless of where your buckets are located.

Get details of a specific MRAP:

aws s3control get-multi-region-access-point \
    --account-id <your-account-id> \
    --name <mrap-name> \
    --region us-west-2

Delete the non-compliant MRAP:

aws s3control delete-multi-region-access-point \
    --account-id <your-account-id> \
    --details "Name=<mrap-name>" \
    --region us-west-2

Create a new MRAP with Block Public Access enabled:

aws s3control create-multi-region-access-point \
    --account-id <your-account-id> \
    --details '{
        "Name": "my-secure-mrap",
        "PublicAccessBlock": {
            "BlockPublicAcls": true,
            "IgnorePublicAcls": true,
            "BlockPublicPolicy": true,
            "RestrictPublicBuckets": true
        },
        "Regions": [
            {"Bucket": "my-bucket-us-east-1"},
            {"Bucket": "my-bucket-us-west-2"}
        ]
    }' \
    --region us-west-2

Check operation status:

The create command returns a RequestTokenARN. Use it to check status:

aws s3control describe-multi-region-access-point-operation \
    --account-id <your-account-id> \
    --request-token-arn <request-token-arn> \
    --region us-west-2
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 Multi-Region Access Point with Block Public Access enabled

Parameters:
  MRAPName:
    Type: String
    Description: Name for the Multi-Region Access Point
    Default: my-secure-mrap

  Bucket1Name:
    Type: String
    Description: Name of the first S3 bucket (must exist in a different region)

  Bucket2Name:
    Type: String
    Description: Name of the second S3 bucket (must exist in a different region)

Resources:
  SecureMultiRegionAccessPoint:
    Type: AWS::S3::MultiRegionAccessPoint
    Properties:
      Name: !Ref MRAPName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
      Regions:
        - Bucket: !Ref Bucket1Name
        - Bucket: !Ref Bucket2Name

Outputs:
  MultiRegionAccessPointAlias:
    Description: Alias of the Multi-Region Access Point
    Value: !GetAtt SecureMultiRegionAccessPoint.Alias

Deploy the stack:

aws cloudformation create-stack \
    --stack-name secure-mrap-stack \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=MRAPName,ParameterValue=my-secure-mrap \
        ParameterKey=Bucket1Name,ParameterValue=my-bucket-us-east-1 \
        ParameterKey=Bucket2Name,ParameterValue=my-bucket-us-west-2 \
    --region us-east-1
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-west-2"  # MRAP operations route to us-west-2
}

resource "aws_s3control_multi_region_access_point" "secure_mrap" {
  details {
    name = "my-secure-mrap"

    public_access_block {
      block_public_acls       = true
      ignore_public_acls      = true
      block_public_policy     = true
      restrict_public_buckets = true
    }

    region {
      bucket = "my-bucket-us-east-1"
    }

    region {
      bucket = "my-bucket-us-west-2"
    }
  }
}

output "mrap_alias" {
  description = "The alias of the Multi-Region Access Point"
  value       = aws_s3control_multi_region_access_point.secure_mrap.alias
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After creating the new Multi-Region Access Point:

  1. Go to S3 > Multi-Region Access Points in the AWS Console
  2. Click on your new MRAP
  3. Verify the Block Public Access settings section shows all four settings as On
CLI verification
aws s3control get-multi-region-access-point \
    --account-id <your-account-id> \
    --name <mrap-name> \
    --region us-west-2 \
    --query 'AccessPoint.PublicAccessBlock'

Expected output:

{
    "BlockPublicAcls": true,
    "IgnorePublicAcls": true,
    "BlockPublicPolicy": true,
    "RestrictPublicBuckets": true
}

Additional Resources

Notes

  • Immutable settings: Block Public Access settings on MRAPs cannot be modified after creation. You must delete and recreate the MRAP to change these settings.
  • API routing: All Multi-Region Access Point API operations are automatically routed to the US West (Oregon) region (us-west-2), regardless of where you run the command.
  • Creation time: Creating an MRAP can take several minutes. Monitor the status before attempting to use it.
  • Bucket requirements: The S3 buckets you associate with an MRAP must already exist and be in different AWS regions.
  • Defense in depth: While MRAP Block Public Access provides protection at the access point level, also ensure Block Public Access is enabled at the account level and on individual buckets for comprehensive protection.