π‘οΈ AWS S3 Multi-Region Access Point is not configured to block public accessπ’
- Contextual name: π‘οΈ Multi-Region Access Point is not configured to block public accessπ’
- ID:
/ce/ca/aws/s3/multi-region-access-point-block-public-access - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [S3.24] S3 Multi-Region Access Points should have block public access settings enabled
Descriptionβ
Descriptionβ
This policy identifies AWS S3 Multi-Region Access Points that are not configured to block all public access.
S3 Multi-Region Access Points provide a single global endpoint to access datasets replicated across multiple AWS Regions. Each multi-region access point has its own Block Public Access settings, which serve as a centralized control to prevent accidental data exposure across all associated buckets.
Rationaleβ
Enabling Block Public Access settings for S3 Multi-Region Access Points is essential because it governs access to data that spans multiple geographic regions. These settings ensure that the global endpoint cannot be used to bypass bucket-level permissions, thereby preventing inadvertent exposure of sensitive data to the public internet.
Auditβ
This policy flags an AWS S3 Multi-Region Access Point as
INCOMPLIANTif any of the following settings are not set to Yes:
- Block Public ACLs
- Block Public Policy
- Ignore Public ACLs
- Restrict Public Buckets
Remediationβ
Remediationβ
Enable Block Public Access for S3 Multi-Region Access Pointsβ
The Block Public Access settings for an S3 Multi-Region Access Point are immutable and cannot be modified after creation. To remediate this issue, you must create a new multi-region access point (MRAP) with the correct configuration and migrate all dependencies from the incompliant one.
Remediation Stepsβ
Create a new S3 Multi-Region Access Point
Use the following command to create a new MRAP point with all public access blocked. Ensure that the
--public-access-block-configurationparameter includes all four blocking options set totrue:aws s3control create-multi-region-access-point \
--account-id {{account-id}} \
--name {{new-mrap-name}} \
--regions "Regions=[{Bucket={{bucket-name-1}}},{Bucket={{bucket-name-2}}}]" \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"Update All References to the New Multi-Region Access Point
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [S3.24] S3 Multi-Region Access Points should have block public access settings enabled | 1 | no data | |||
| πΌ AWS Well-Architected β πΌ SEC08-BP04 Enforce access control | 7 | no data | |||
| πΌ Cloudaware Framework β πΌ Public and Anonymous Access | 106 | no data | |||
| πΌ PCI DSS v3.2.1 β πΌ 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks. | 11 | no data | |||
| πΌ PCI DSS v4.0.1 β πΌ 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks. | 11 | no data | |||
| πΌ PCI DSS v4.0 β πΌ 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks. | 11 | no data |