Cyscale
Back to controls

Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'

Amazon S3 provides *Block public access (bucket settings)* and *Block public access (account settings)* to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However with an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level.

Category

Controls

Medium

Applies to

AWS

Coverage

null controls, 1 queries

Asset types

1 covered

Overview

Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However with an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level.

While enabled, Block public access (bucket settings) prevents an individual bucket and its objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets and it's objects in an account, from becoming publicly accessible.

Amazon S3 Block public access (bucket settings) prevents the accidental or malicious public exposure of data contained within the respective bucket(s).

Amazon S3 Block public access (account settings) prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.

Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.

When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Remediation guidance

From Console

By using Block Public Access (bucket settings):

  1. Login to AWS Management Console and open the Amazon S3 console.
  2. Click on the bucket name.
  3. Go to Permissions tab.
  4. Click Edit for Block all public access (bucket setting).
  5. Ensure that block public access settings are set appropriately for this bucket.
  6. Repeat for all the buckets in your AWS account that contain sensitive data.

By using Block Public Access (account settings):

  1. Login to AWS Management Console and open the Amazon S3 console.
  2. In the left navigation pane, choose Block Public Access settings for this account
  3. Ensure that block public access settings are set appropriately for your AWS account.

From Command Line

To set Block Public access settings for the buckets, run the following commands:

  1. List all of the S3 Buckets
aws s3 ls
  1. Set the public access to true on that bucket
aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

To set Block Public access settings for the account, run the following command:

aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id <value>

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

References for Service-Wide Patterns

  • AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
  • AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

  • AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

2. Remediate Existing Affected Assets

  • Execute the control-specific Console/CLI steps documented above for each flagged resource.
  • Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

  • Re-scan after each remediation batch.
  • Track exceptions with owner and expiry date.
  • Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

S3 Buckets are configured with 'Block public access (bucket settings)'

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

buckets(where: { publicAccessBlocked: false }) {...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon