S3 bucket has Block Public Access with IgnorePublicAcls and RestrictPublicBuckets enabled at bucket or account level
s3_bucket_level_public_access_block
Amazon S3 buckets are evaluated for Block Public Access settings, ensuring ignore_public_acls and restrict_public_buckets are enabled at the bucket or account scope.
Account-wide protections, when present, are treated as effective for the bucket.
Risk
Absent S3 Block Public Access, public ACLs or broad policies can grant Internet or cross-account access.
- Data disclosure (confidentiality)
- Object overwrite or uploads (integrity)
- Deletion or outages from misuse (availability)
prowler aws --checks s3_bucket_level_public_access_block
Recommendation
Enable Block Public Access at account and bucket levels with block_public_acls, ignore_public_acls, block_public_policy, and restrict_public_buckets set to true. Apply least privilege and defense in depth. If public access is required, narrowly scope policies to fixed principals and conditions.
Remediation
aws s3api put-public-access-block --bucket <BUCKET_NAME> --public-access-block-configuration IgnorePublicAcls=true,RestrictPublicBuckets=true
- In AWS Console, open S3 and select the target bucket
- Go to Permissions > Block public access (bucket settings)
- Enable only:
- Ignore public ACLs
- Restrict public buckets
- Click Save changes
- (Alternatively, to apply account-wide) S3 > Account settings > Block Public Access: enable the same two options and Save
Source Code
Resource Type
AwsS3Bucket