ACCT.08 Prevent public access to private Amazon S3 buckets

By default, the root user of the AWS account and the IAM principal that created the bucket have permissions to read and write to Amazon S3 buckets. Additional IAM principals are granted access by using identity-based policies, and access conditions can be enforced by using a bucket policy. You can create bucket policies that grant the general public access to the bucket, creating a public bucket.

Buckets created on or after April 28, 2023 have the Block Public Access setting enabled by default. For buckets created before this date, a misconfigured bucket policy can unintentionally grant public access. You can help prevent this by enabling the Block Public Access setting for each bucket. If you have no current or future use cases for a public Amazon S3 bucket, enable this setting at the AWS account level.

To prevent public access to Amazon S3 buckets

Follow the steps in Configure block public access settings for your Amazon S3 buckets in the Amazon S3 documentation.

AWS Trusted Advisor generates a yellow finding for Amazon S3 buckets that allow list or read access to the public and generates a red finding for buckets that allow public uploads or deletes. Follow ACCT.12 Monitor for and resolve AWS Trusted Advisor high-risk items to identify and correct misconfigured buckets. In the Amazon S3 console, you can see if your bucket is publicly accessible from the Buckets list.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ACCT.07 Deliver CloudTrail logs to a protected Amazon S3 bucket

ACCT.09 Delete unused VPCs, subnets, and security groups