S3 Access block should block public ACL
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
Impact
PUT calls with public ACLs specified can make objects public
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable blocking any PUT calls with a public ACL specified
|
|
-
Log in to the AWS Management Console.
-
Select the “Services” option and search for S3.
-
Scroll down the left navigation panel and choose “Buckets”.
-
Select the “Bucket” that needs to be verified and click on its identifier(name) from the “Bucket name” column.
-
Click on the “Permissions” tab on the top menu.
-
Check the “Access Control List” option under “Permissions” and scroll down the configuration page and check the “Block public access (bucket settings)”. If its status is “Off” then public access to your S3 bucket and objects is open.
-
Scroll down to “Access control list (ACL)” and verify if the bucket allows “Everyone (public access)”.
-
If public List, Read or Write is Enabled in step 6 or 7 then disable by clicking “Edit” in “Block public access (bucket settings)” and select “Block all public access” and click “Save changes” button.
-
In the “Edit Block public access (bucket settings)” confirmation box type “confirm” in the text box and click “Confirm” button.
-
Scroll down to “Access control list (ACL)” and click “Edit”. On the “Edit access control list (ACL)” page uncheck all checkboxes other than “Bucket owner (your AWS account)” and click on “Save changes” button.
-
Repeat steps number 4 - 10 to disable global write, delete, or read ACL permissions in other S3 buckets.