S3 access point has all Block Public Access settings enabled
s3_access_point_public_access_block
Amazon S3 access points have Block Public Access configured with all settings enabled: block_public_acls, ignore_public_acls, block_public_policy, and restrict_public_buckets.
The evaluation inspects each access point's public access block configuration.
Risk
Without block public access on an access point, ACLs or policies can expose objects publicly despite intended restrictions. This enables unauthorized reads (confidentiality loss), writes or deletions (integrity/availability impact), and supports bulk data exfiltration or destructive actions.
prowler aws --checks s3_access_point_public_access_block
Recommendation
Enable all access-point Block Public Access settings (block_public_acls, ignore_public_acls, block_public_policy, restrict_public_buckets).
Apply least privilege, prefer VPC-only access points, and layer account and bucket blocks for defense in depth. Regularly audit for public principals like Principal: *.
Remediation
- In the AWS console, go to S3 > Access points
- Select the noncompliant access point and click Delete access point
- Click Create access point, select the same bucket
- Ensure Block public access is enabled (all options On by default)
- Click Create access point
Source Code
Resource Type
AwsS3AccessPoint