Block Public Access enabled account-wide
Demonstrate that S3 Block Public Access settings are enabled at the AWS account level for all four protection mechanisms, preventing public exposure of data across all buckets within the account.
Description
What this control does
This control enforces Amazon S3 Block Public Access (BPA) settings at the AWS account level, preventing all buckets within the account from being configured with public access permissions. When enabled account-wide, BPA settings override individual bucket policies and access control lists that would otherwise grant public read or write access. This provides a centralized security boundary that prevents inadvertent or intentional exposure of sensitive data stored in S3 buckets, regardless of misconfigured bucket-level permissions.
Control objective
What auditing this proves
Demonstrate that S3 Block Public Access settings are enabled at the AWS account level for all four protection mechanisms, preventing public exposure of data across all buckets within the account.
Associated risks
Risks this control addresses
- Unauthorized public disclosure of sensitive customer data, intellectual property, or regulated information stored in S3 buckets due to misconfigured bucket policies
- Data exfiltration by external threat actors who discover publicly accessible buckets through automated scanning tools or misconfiguration enumeration
- Compliance violations under GDPR, HIPAA, PCI DSS, or other regulatory frameworks requiring access controls on sensitive data repositories
- Privilege escalation attacks where attackers leverage publicly writable buckets to inject malicious objects or overwrite legitimate files
- Reputational damage and financial penalties resulting from public data breach disclosures caused by S3 misconfigurations
- Shadow IT scenarios where development teams inadvertently expose staging or test data containing production-like sensitive information
- Supply chain attacks where compromised CI/CD pipelines or automation scripts grant unintended public access to artifact repositories
Testing procedure
How an auditor verifies this control
- Authenticate to the AWS Management Console or AWS CLI with credentials having s3:GetAccountPublicAccessBlock permissions
- Navigate to the S3 service console and select 'Block Public Access settings for this account' or execute 'aws s3control get-public-access-block --account-id [account-id] --region [region]' via CLI
- Record the current configuration status for all four BPA settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets
- Verify that all four settings display as 'On' or return 'true' in the API/CLI response
- Review AWS Config rules or Security Hub findings to identify any compliance violations related to S3 public access in the past 90 days
- Select a representative sample of 10-15 S3 buckets across different business units and verify that bucket-level BPA settings cannot override account-level restrictions
- Examine CloudTrail logs for 'PutAccountPublicAccessBlock' API calls to confirm no unauthorized modifications to account-wide BPA settings occurred in the audit period
- Interview infrastructure and security teams to confirm processes exist for maintaining account-wide BPA and responding to exceptions requiring temporary public access
Where this control is tested