Skip to main content
Version: 3.2.6

How to Find AWS S3 Account Level Public Access

Problem​

Public access policies may be applied to sensitive data buckets.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity high.

Prerequisites​

This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.

Directions​

  1. Execute the following search command in Resoto Shell or Resoto UI:

    > search is(aws_s3_bucket) {account_setting: <-[0:]- is(aws_account) --> is(aws_s3_account_settings)} (bucket_public_access_block_configuration.block_public_acls==false and account_setting.reported.bucket_public_access_block_configuration.block_public_acls==false) or (bucket_public_access_block_configuration.ignore_public_acls==false and account_setting.reported.bucket_public_access_block_configuration.ignore_public_acls==false) or (bucket_public_access_block_configuration.block_public_policy==false and account_setting.reported.bucket_public_access_block_configuration.block_public_policy==false) or (bucket_public_access_block_configuration.restrict_public_buckets==false and account_setting.reported.bucket_public_access_block_configuration.restrict_public_buckets==false)
    ​kind=aws_s3_bucket, ..., region=resoto-poweruser
    ​kind=aws_s3_bucket, ..., account=poweruser-team

  2. Pipe the search command into the dump command:

    > search is(aws_s3_bucket) {account_setting: <-[0:]- is(aws_account) --> is(aws_s3_account_settings)} (bucket_public_access_block_configuration.block_public_acls==false and account_setting.reported.bucket_public_access_block_configuration.block_public_acls==false) or (bucket_public_access_block_configuration.ignore_public_acls==false and account_setting.reported.bucket_public_access_block_configuration.ignore_public_acls==false) or (bucket_public_access_block_configuration.block_public_policy==false and account_setting.reported.bucket_public_access_block_configuration.block_public_policy==false) or (bucket_public_access_block_configuration.restrict_public_buckets==false and account_setting.reported.bucket_public_access_block_configuration.restrict_public_buckets==false) | dump
    ​reported:
    ​  id: /aws/s3/123
    ​  name: some-name
    ​  ctime: '2022-12-05T22:53:14Z'
    ​  kind: aws_s3_bucket
    ​  age: 2mo28d

    The command output will list the details of all non-compliant aws_s3_bucket resources.

  3. Fix detected issues by following the remediation steps:

    Enable Public Access Block at the account level to prevent the exposure of your data stored in S3.

    note

    Please refer to the AWS S3 documentation for details.

Further Reading​