More Info:

Amazon S3 Block Public Access feature should be enabled for your S3 buckets to restrict public access to all objects available within these buckets, including those that you upload in the future.

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, PCIDSS, CISAWS, CBP, NIST, GDPR, HITRUST, SOC2, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration in AWS:
  1. Login to your AWS Management Console.
  2. Navigate to the S3 service.
  3. Click on the bucket name you want to remediate.
  4. Click on the “Permissions” tab.
  5. Scroll down to the “Block public access” section.
  6. Click on the “Edit” button.
  7. Enable the “Block all public access” option.
  8. Click on the “Save changes” button.
  9. Repeat the above steps for all the buckets in your AWS account.
By following the above steps, you have successfully enabled the S3 Block Public Access feature in your AWS account and remediated the misconfiguration.

To remediate the misconfiguration “S3 Block Public Access Feature Should Be Enabled” for AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine or instance.
  2. Run the following command to enable the S3 Block Public Access feature on your AWS account:
aws s3api put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
This command sets the BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets parameters to true, which blocks public access to S3 buckets and objects.
  1. Verify that the S3 Block Public Access feature is enabled by running the following command:
aws s3api get-public-access-block
This command retrieves the current public access block configuration for your AWS account.
  1. If the S3 Block Public Access feature is not enabled, repeat step 2 to enable it.
  2. Once the S3 Block Public Access feature is enabled, you can verify that all S3 buckets in your AWS account have the feature enabled by running the following command: 
aws s3api get-bucket-policy-status --bucket <bucket-name>
Replace <bucket-name> with the name of the S3 bucket you want to verify. This command retrieves the current policy status for the specified S3 bucket.
  1. If the policy status for the S3 bucket is not compliant, update the bucket policy to ensure that public access is blocked. You can use the following policy as an example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
Replace <bucket-name> with the name of the S3 bucket you want to update. This policy denies all public access to the specified S3 bucket.
  1. Repeat step 5 and 6 for all S3 buckets in your AWS account to ensure that public access is blocked.
To remediate the “S3 Block Public Access Feature Should Be Enabled” misconfiguration in AWS using Python, follow these steps:
  1. Install the AWS SDK for Python (Boto3) by running the following command in your command prompt or terminal:
pip install boto3
  1. Import the Boto3 library and create a client for S3:
import boto3

s3 = boto3.client('s3')
  1. Enable the “Block Public Access” feature for all existing and future S3 buckets by setting the BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets parameters to True:
response = s3.put_public_access_block(
    PublicAccessBlockConfiguration={
        'BlockPublicAcls': True,
        'IgnorePublicAcls': True,
        'BlockPublicPolicy': True,
        'RestrictPublicBuckets': True
    }
)
  1. Verify that the “Block Public Access” feature has been enabled by checking the response from the put_public_access_block() method:
print(response)
The response should contain the following JSON object:
{
    "ResponseMetadata": {
        "RequestId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "x-amz-request-id": "xxxxxxxxxxxxxxxx",
            "date": "Wed, 19 May 2021 00:00:00 GMT",
            "content-length": "0",
            "server": "AmazonS3"
        },
        "RetryAttempts": 0
    }
}
By following these steps, you should be able to remediate the “S3 Block Public Access Feature Should Be Enabled” misconfiguration in AWS using Python.

Additional Reading: