S3 account-level Block Public Access ignores public ACLs and restricts public buckets
s3_account_level_public_access_blocks
Amazon S3 account-level Block Public Access is assessed for ignore_public_acls and restrict_public_buckets to confirm centralized blocking of ACL-based public access and limiting buckets with public policies to in-account principals.
Risk
Absent these settings, public ACLs and broad bucket policies may grant internet or cross-account access. This risks:
- Confidentiality: bulk data exfiltration
- Integrity: object overwrite/tampering
- Availability: malicious deletions or malware hosting, triggering takedowns
prowler aws --checks s3_account_level_public_access_blocks
prowler aws --checks s3_account_level_public_access_blocks --fixer
Recommendation
Turn on account-level Block Public Access (prefer enabling all four: block_public_acls, ignore_public_acls, block_public_policy, restrict_public_buckets) to enforce least privilege. For legitimate access, use private buckets with CloudFront, VPC endpoints, or presigned URLs. Regularly review policies with IAM Access Analyzer.
Remediation
aws s3control put-public-access-block --account-id <account_id> --public-access-block-configuration IgnorePublicAcls=true,RestrictPublicBuckets=true
- In the AWS Console, go to S3
- Click Block public access (account settings)
- Click Edit
- Turn on: Ignore public ACLs and Restrict public buckets
- Click Save changes
Source Code
Resource Type
AwsS3AccountPublicAccessBlock