🛡️ AWS S3 Access Point is not configured to block public access🟢

• Contextual name: 🛡️ Access Point is not configured to block public access🟢
• ID: /ce/ca/aws/s3/access-point-block-public-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS S3 Access Point
  • 🔌 AWS S3 Access Point - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [S3.19] S3 access points should have block public access settings enabled

Description

Open File

Description

This policy identifies AWS S3 Access Points that are not configured to block all public access.

Amazon S3 Access Points simplify managing data access at scale for shared datasets stored in S3. Each access point has its own permissions and network controls, including Block Public Access settings. These settings provide an additional security layer to prevent accidental public exposure of data through the access point.

Rationale

Keeping Block Public Access settings enabled for S3 Access Points ensures that, regardless of the underlying bucket policies or object ACLs, the access point will reject all public requests. This helps prevent data leaks caused by misconfigurations and enforces a strict boundary against unauthorized public access.

Audit

This policy flags an AWS S3 Access Point as INCOMPLIANT if any of the following settings are not set to Yes:

• Block Public ACLs
• Block Public Policy
• Ignore Public ACLs
• Restrict Public Buckets

Remediation

Open File

Remediation

Enable Block Public Access for S3 Access Points

The Block Public Access settings for an S3 Access Point are immutable and cannot be modified after the access point is created. To remediate this issue, you must create a new access point with the correct configuration and migrate all dependencies from the incompliant one.

Remediation Steps

1. Create a new S3 Access Point

   Use the following command to create a new access point with all public access blocked. Ensure that the --public-access-block-configuration parameter includes all four blocking options set to true:

   aws s3control create-access-point \
       --account-id {{account-id}} \
       --name {{new-access-point-name}} \
       --bucket {{bucket-name}} \
       --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

2. Update All References to the New Access Point

   Update all dependent resources to use the ARN of the new access point instead of the old one.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.19] S3 access points should have block public access settings enabled			1		no data
💼 AWS Well-Architected → 💼 SEC08-BP04 Enforce access control			7		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			106		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	72		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	89		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	52		no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	61		no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			12		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	64		no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			12		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			35		no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			12		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			28		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			72		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			40		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			72		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		73		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			52		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		61		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			12		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		53		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			12		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			35		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			150		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			149		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			76		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			120		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			140		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			103		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	44		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	99		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	52		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	54		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	66		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			35		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			28		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			29		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			12		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			28		no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			11		no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			11		no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			11		no data