S3 Block Public Access Feature Should Be Enabled

More Info:

Amazon S3 Block Public Access feature should be enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, PCIDSS, CISAWS, CBP, NIST, GDPR, HITRUST, SOC2, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “S3 Block Public Access Feature Should Be Enabled” for AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine or instance.
Run the following command to enable the S3 Block Public Access feature on your AWS account:

aws s3api put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

This command sets the BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets parameters to true, which blocks public access to S3 buckets and objects.

Verify that the S3 Block Public Access feature is enabled by running the following command:

aws s3api get-public-access-block

This command retrieves the current public access block configuration for your AWS account.

If the S3 Block Public Access feature is not enabled, repeat step 2 to enable it.
Once the S3 Block Public Access feature is enabled, you can verify that all S3 buckets in your AWS account have the feature enabled by running the following command:

aws s3api get-bucket-policy-status --bucket <bucket-name>

Replace <bucket-name> with the name of the S3 bucket you want to verify. This command retrieves the current policy status for the specified S3 bucket.

If the policy status for the S3 bucket is not compliant, update the bucket policy to ensure that public access is blocked. You can use the following policy as an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Replace <bucket-name> with the name of the S3 bucket you want to update. This policy denies all public access to the specified S3 bucket.

Repeat step 5 and 6 for all S3 buckets in your AWS account to ensure that public access is blocked.

Using Python

To remediate the “S3 Block Public Access Feature Should Be Enabled” misconfiguration in AWS using Python, follow these steps:

Install the AWS SDK for Python (Boto3) by running the following command in your command prompt or terminal:

pip install boto3

Import the Boto3 library and create a client for S3:

import boto3

s3 = boto3.client('s3')

Enable the “Block Public Access” feature for all existing and future S3 buckets by setting the BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets parameters to True:

response = s3.put_public_access_block(
    PublicAccessBlockConfiguration={
        'BlockPublicAcls': True,
        'IgnorePublicAcls': True,
        'BlockPublicPolicy': True,
        'RestrictPublicBuckets': True
    }
)

Verify that the “Block Public Access” feature has been enabled by checking the response from the put_public_access_block() method:

print(response)

The response should contain the following JSON object:

{
    "ResponseMetadata": {
        "RequestId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "x-amz-request-id": "xxxxxxxxxxxxxxxx",
            "date": "Wed, 19 May 2021 00:00:00 GMT",
            "content-length": "0",
            "server": "AmazonS3"
        },
        "RetryAttempts": 0
    }
}

By following these steps, you should be able to remediate the “S3 Block Public Access Feature Should Be Enabled” misconfiguration in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Block Public Access Feature Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: