Ensure buckets are not publicly accessible

AWS

From the Console

Perform the following actions to block all public access for a bucket:

1. Open the security settings using the "Open in AWS" menu option
2. Select the tab Permissions
3. Under Block public access (bucket settings), select Edit
4. Check the Block all public access checkbox
5. Click Save changes

From the AWS CLI

aws s3api put-public-access-block --bucket <bucketName> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Default Value

By default, new buckets, access points, and objects do not allow public access.

References

1. Configuring block public access settings for your S3 buckets
2. put-public-access-block

Azure

From Azure Console

First, follow the Microsoft documentation and create shared access signature tokens for your blob containers. Then, follow these steps:

To change the access level for containers

1. Go to Storage Accounts
2. For each storage account, go to Containers under Data storage
3. For each container, click Change access level
4. Select for Public access level the Private (no anonymous access) option

To change the access level for blobs

1. Go to Storage Accounts
2. For each storage account, under Settings, go to Configuration
3. Set Disabled for Allow Blob public access if no anonymous access is needed on the storage account

Using Azure Command Line Interface

Set the permission for public access to private(off) for the container

az storage container set-permission --name <containerName> --public-access off --account-name <accountName> --account-key <accountKey>

Disallow public blob access for the storage account.

az storage account update --name <storageAccount> --resource-group <resourceGroup> --allow-blob-public-access false

Default Value

By default, Public access level is set to Private (no anonymous access) for blob containers. By default, AllowBlobPublicAccess is set to Null (allow in effect) for storage account.

References

1. https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources
2. https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
3. https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy
4. https://learn.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic

Google Cloud

From Google Cloud Console

1. Go to Storage browser by visiting https://console.cloud.google.com/storage/browser
2. Click on a bucket name to go to its Bucket details page
3. Click on the PERMISSIONS tab
4. For principals allUsers and allAuthenticatedUsers, click on the Edit principal pencil button to modify the permissions
5. Click the Delete button on the right to remove that particular role assignment
6. Select SAVE

CLI

Remove allUsers and allAuthenticatedUsers access.

gsutil iam ch -d allUsers gs://<bucketName>
gsutil iam ch -d allAuthenticatedUsers gs://<bucketName>

Prevention

You can prevent Storage buckets from becoming publicly accessible by setting up the Domain restricted sharing organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/iamallowedPolicyMemberDomains

Default Value

By default, Storage buckets are not publicly shared.

References

1. https://cloud.google.com/storage/docs/access-control/iam-reference
2. https://cloud.google.com/storage/docs/access-control/making-data-public
3. https://cloud.google.com/storage/docs/gsutil/commands/iam

Addititonal information

To implement Access restrictions on buckets, configuring Bucket IAM is preferred more than configuring Bucket ACL. On GCP console, "Edit Permissions" for bucket exposes the IAM configurations only. Bucket ACLs are configured automatically as per need in order to implement/support User enforced Bucket IAM policy. In the case that the administrator changes a bucket ACL using command-line(gsutils)/API, the bucket IAM also gets updated automatically.

Alibaba Cloud

• Overview

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
• Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
• Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
• Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

• Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.