S3 Bucket Does Not Block Public Access

Overview

Public S3 buckets is one of the single biggest sources of data breaches and AWS ransomware attacks. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level.

Amazon S3 Block public access (bucket settings) prevents the accidental or malicious public exposure of data contained within the respective bucket(s). Amazon S3 Block public access (account settings) prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.

Note: When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Vendor

AWS

Cloud Service

CIS AWS v1.5.0 2.1.5, CSMM v1 DAT-03.1, S3.1, S3.2, S3.3, S3.8

References

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html

Severity

Item Types

AWS::S3::Bucket

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​