S3 Security Settings for Enabling S3 Block Public Access and Disabling ACLs
December 15, 2022
Overview
AWS recently published a blog (opens in a new tab) regarding upcoming S3 security changes coming in April 2023.
This update has 2 distinct changes in effect. Once the changes are in effect for a target Region, all newly created buckets in that region will have:
- S3 Block Public Access enabled by default.
- This includes all 4 Block Public Access Settings.
- Access Control Lists (ACLs) disabled by default.
- The Bucket owner enforced setting is on. With this setting, ACLs are disabled and no longer affect access permissions to the bucket. Requests to set or update ACLs will fail, but requests to read ACLs are supported.
This behavior is already default for console and will be default for buckets created by non-Console options including the S3 API, S3 CLI, AWS SDKs, or AWS CloudFormation.
AWS recommends a deliberate and thoughtful approach to creating new buckets that rely on public buckets or ACLs. We additionally recommend for customers to standardize existing buckets and settings if possible to enforce S3 Block Public Access on all buckets that do not need to be public and to disable ACLs and utilize IAM as a standard method of managing access to S3.
Finding Disabled Block Public Access and Enabled ACLs
S3 Block Public Access
S3 Bucket Block Public Access Settings
CloudQuery tables: aws_s3_buckets (opens in a new tab)
There are 4 different components for S3 Block Public Access Settings:
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- Block public access to buckets and objects granted through new public bucket policies
- Block public and cross-account access to buckets and objects through any public bucket policies
The below query will check for any S3 bucket where 1 or more of those 4 components are set to false (and thus where block public access is not fully enabled).
SELECT *
FROM aws_s3_buckets
where block_public_acls is false
or block_public_policy is false
or ignore_public_acls is false
or restrict_public_buckets is false;
Account Level Block Public Access Settings
CloudQuery tables: aws_s3_accounts (opens in a new tab)
Block Public Access can also be set at the Account level, which we recommend as an additional layer of security if the S3 buckets in the account do not need to be public.
To check for this setting on accounts in CloudQuery, we can use the following query:
SELECT *
FROM aws_s3_accounts
WHERE block_public_acls is false
or block_public_policy is false
or ignore_public_acls is false
or restrict_public_buckets is false;
S3 Access Control Lists (ACLs)
Object Ownership Settings
CloudQuery tables: aws_s3_buckets (opens in a new tab) and aws_s3_bucket_grants (opens in a new tab)
There are 3 different settings for object ownership:
- Bucket owner enforced (ACLs disabled)
- Bucket owner preferred (ACLs enabled)
- Object writer (ACLs enabled)
To check for buckets with enabled ACLs (without disabled ACLs), we will look for bucket owner preferred, object writer settings, and empty values for object ownership. The empty values for object ownership currently correlate to object writer.
SELECT *
FROM aws_s3_buckets
WHERE ownership_controls &&'{"BucketOwnerPreferred", "ObjectWriter"}'
or ownership_controls is NULL;
Note: Buckets created via Console with ObjectWriter Object Ownership Settings and Buckets created via CLI without the Object Ownership option specified will result in an empty Object Ownership ownership_controls
field. This seems to be a default setting and we're following up with AWS on this discrepancy.
aws s3api create-bucket --bucket test-json-bucket --profile myprofile --region us-east-1
{
"Location": "/test-json-bucket"
}
aws s3api get-bucket-ownership-controls --bucket test-json-bucket --profile myprofile
An error occurred (OwnershipControlsNotFoundError) when calling the GetBucketOwnershipControls operation: The bucket ownership controls were not found
S3 Grants (ACLs)
To look for grants within resource ACLs that are associated with S3 buckets with enabled ACLs (without disabled ACLs), we will cross reference our S3 buckets from the above query with S3 grants.
SELECT *
FROM aws_s3_bucket_grants
LEFT JOIN aws_s3_buckets
on aws_s3_bucket_grants.bucket_arn = aws_s3_buckets.arn
WHERE ownership_controls && '{"BucketOwnerPreferred", "ObjectWriter"}'
or ownership_controls is NULL;
Contact Us
If you have comments or questions about S3 security or using CloudQuery, we would love to hear from you! Reach out to us on GitHub (opens in a new tab) or Discord (opens in a new tab)!
References
CloudQuery: AWS Source Plugin (opens in a new tab)
AWS News Blog: Amazon S3 Security Changes Are Coming in April of 2023 (opens in a new tab)
AWS: S3 Block Public Access (opens in a new tab)
AWS News Blog: Simplify Access Management for Data Stored in Amazon S3 (opens in a new tab)
AWS News Blog: Amazon S3 Block Public Access (opens in a new tab)
AWS S3: Controlling ownership of objects and disabling ACLs for your bucket (opens in a new tab)