Cloud Security Index
aws

critical

Compliance Frameworks

BETA
CIS AWS Foundations Benchmark v3.0
2.1.4
NIST 800-53
AC-3, SC-7
SOC 2
CC6.1
PCI DSS v4.0
1.3.2

// Beta Mapping Disclaimer

Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.

Overview

Enforce S3 Block Public Access across all Landing Zone accounts using a multi-layered governance strategy: the primary control utilizes the native AWS Organizations S3 Policy type applied globally from the Management account, backed by an SCP to prevent local tampering of bucket/account settings, and continuous AWS Config tracking.

S3 Block Public Access operates across three distinct governance layers that must be aligned:

1. Organizations-level S3 Policy Type (Primary Control)

AWS Organizations supports a dedicated "S3 Policy" resource type. When enabled and configured on the Organization Root via the Management account, it globally overrides and enforces S3 Block Public Access across all underlying member accounts, buckets, and objects natively.

The four settings and what each prevents:

SettingEffect
BlockPublicAclsRejects PUT requests that include a public ACL; ignores public ACLs on existing objects
IgnorePublicAclsIgnores all public ACLs on buckets and objects, even if already set
BlockPublicPolicyRejects bucket policies that grant public access
RestrictPublicBucketsRestricts access to buckets with public policies to only AWS services and authorized users

All four must be enabled. Enabling only a subset leaves exploitable gaps - for example, enabling BlockPublicPolicy without IgnorePublicAcls still allows public access via legacy ACLs.

2. SCP Guardrail - Prevent Local Bypass (Defense in Depth)

While the Organizations S3 Policy type acts as an absolute override, an SCP is applied to member accounts to block unauthorized local attempts to drop account-level or bucket-level configurations, preventing intentional or accidental local drift.

3. AWS Config - Continuous Drift Detection

The s3-account-level-public-access-blocks-periodic managed Config rule evaluates member accounts on a periodic schedule, ensuring local resource structures remain aligned and visible to compliance frameworks.

Publicly exposed S3 storage is a primary vehicle for enterprise data breaches. Relying on individual account administrators to maintain local S3 blocks creates scaling risks. Utilizing the native AWS Organizations S3 Policy type provides an absolute central override that cannot be altered or bypassed at the individual member account or bucket level, while an SCP prevents local state changes.

Remediation Strategy

Enable the S3 Policy Type in AWS Organizations, apply the global block payload, deploy the protective SCP to the organization root to prevent local modification attempts, and verify tracking with AWS Config.

1.

Enable the S3 Policy feature flag inside your AWS Organizations Management account.

2.

Attach the AWS Organizations S3 Policy payload to the Organization Root OU.

3.

Attach the protective SCP to the root OU to prevent API modification commands against bucket or account blocks.

4.

Deploy the AWS Config rule s3-account-level-public-access-blocks-periodic to track continuous compliance.

# AWS Organizations S3 Policy Type
# Attach directly to the Organization Root via Management Account
{
  "s3_attributes": {
    "public_access_block_configuration": {
      "@@assign": "all"
    }
  }
}

Enforcement Logic

Automatedaws-api

Two detection layers run in parallel. The AWS Config managed rule s3-account-level-public-access-blocks-periodic evaluates each account periodically and marks it NON_COMPLIANT if any of the four settings is disabled or missing entirely. The CLI commands below provide on-demand multi-account verification. Any account returning false for a setting, or missing the configuration block altogether, is flagged for immediate remediation.

# Verify Block Public Access settings for a specific account
aws s3control get-public-access-block \
  --account-id <ACCOUNT_ID> \
  --query 'PublicAccessBlockConfiguration'

# Check all active accounts in the organization for non-compliant settings
for account_id in $(aws organizations list-accounts \
  --query 'Accounts[?Status==`ACTIVE`].Id' \
  --output text); do
  
  result=$(aws s3control get-public-access-block \
    --account-id "$account_id" \
    --query 'PublicAccessBlockConfiguration' \
    --output json 2>&1)
  
  # Catch accounts that have NO configuration block configured at all
  if echo "$result" | grep -q "NoSuchPublicAccessBlockConfiguration"; then
    echo "NON_COMPLIANT: $account_id - configuration is missing."
  # Catch accounts where a setting is explicitly set to false
  elif echo "$result" | grep -q "false"; then
    echo "NON_COMPLIANT: $account_id - $result"
  else
    echo "COMPLIANT: $account_id - $result"
  fi
done

# List Config non-compliant accounts for the managed rule
aws configservice get-compliance-details-by-config-rule \
  --config-rule-name s3-account-level-public-access-blocks-periodic \
  --compliance-types NON_COMPLIANT \
  --query 'EvaluationResults[].EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId'
SPEC_METADATA

Complexity
low
Impact
disruptive
Scope
root
Environment
all
Resources
S3
Remediation
organization
Auto-Remediate
Available
Category
data-protection
Enforcement
mandatory
Tags
data-protections3storagepreventativelanding-zone

Type
role
Frequency
quarterly