AWS Config Rule: S3 Account Level Public Access Blocks

Description: Checks if the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.

Note: If you are using this rule, ensure that S3 Block Public Access is enabled. The rule is change-triggered, so it will not be invoked unless S3 Block Public Access is enabled. If S3 Block Public Access is not enabled the rule returns INSUFFICIENT_DATA. This means that you still might have some public buckets. For more information about setting up S3 Block Public Access, see Blocking public access to your Amazon S3 storage.

Trigger type: Configuration changes (current status not checked, only evaluated when changes generate new events)

Note: This rule is only triggered by configuration changes for the specific region where the S3 endpoint is located. In all other regions, the rule is checked periodically. If a change was made in another region, there could be a delay before the rule returns NON_COMPLIANT.

AWS Region: All supported AWS regions except Middle East (Bahrain), Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich) Region

You may find yourself in a situation where it may be more beneficial to set an account-wide setting to block all public access to all S3 Buckets in your account. To do this, head to the S3 dashboard in the AWS Console, on the left hand side panel, you will notice a section called "Public access settings for this account"

From here, you are able to set top-level rules for your S3 Buckets, much like the individual bucket public settings options.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here