On This Page

Question? Give us feedback →Edit this page on GitHub
  • Blog
  • S3 Security Settings for Enabling S3 Block Public Access and Disabling ACLs

S3 Security Settings for Enabling S3 Block Public Access and Disabling ACLs

December 15, 2022

Jason Kao
Name
Jason Kao
Twitter
https://www.linkedin.com/in/kaojason/

Overview

AWS recently published a blog regarding upcoming S3 security changes coming in April 2023.

This update has 2 distinct changes in effect. Once the changes are in effect for a target Region, all newly created buckets in that region will have:

  • S3 Block Public Access enabled by default.
    • This includes all 4 Block Public Access Settings.
  • Access Control Lists (ACLs) disabled by default.
    • The Bucket owner enforced setting is on. With this setting, ACLs are disabled and no longer affect access permissions to the bucket. Requests to set or update ACLs will fail, but requests to read ACLs are supported.

This behavior is already default for console and will be default for buckets created by non-Console options including the S3 API, S3 CLI, AWS SDKs, or AWS CloudFormation.

AWS recommends a deliberate and thoughtful approach to creating new buckets that rely on public buckets or ACLs. We additionally recommend for customers to standardize existing buckets and settings if possible to enforce S3 Block Public Access on all buckets that do not need to be public and to disable ACLs and utilize IAM as a standard method of managing access to S3.

Finding Disabled Block Public Access and Enabled ACLs

S3 Block Public Access

S3 Bucket Block Public Access Settings

CloudQuery tables: aws_s3_buckets

There are 4 different components for S3 Block Public Access Settings:

  • Block public access to buckets and objects granted through new access control lists (ACLs)
  • Block public access to buckets and objects granted through any access control lists (ACLs)
  • Block public access to buckets and objects granted through new public bucket policies
  • Block public and cross-account access to buckets and objects through any public bucket policies

The below query will check for any S3 bucket where 1 or more of those 4 components are set to false (and thus where block public access is not fully enabled).

SELECT * 
FROM aws_s3_buckets 
where block_public_acls is false 
or block_public_policy is false 
or ignore_public_acls is false 
or restrict_public_buckets is false;

Account Level Block Public Access Settings

CloudQuery tables: aws_s3_accounts

Block Public Access can also be set at the Account level, which we recommend as an additional layer of security if the S3 buckets in the account do not need to be public.

To check for this setting on accounts in CloudQuery, we can use the following query:

SELECT * 
FROM aws_s3_accounts 
WHERE block_public_acls is false 
or block_public_policy is false 
or ignore_public_acls is false 
or restrict_public_buckets is false;

S3 Access Control Lists (ACLs)

Object Ownership Settings

CloudQuery tables: aws_s3_buckets and aws_s3_bucket_grants

There are 3 different settings for object ownership:

  • Bucket owner enforced (ACLs disabled)
  • Bucket owner preferred (ACLs enabled)
  • Object writer (ACLs enabled)

To check for buckets with enabled ACLs (without disabled ACLs), we will look for bucket owner preferred, object writer settings, and empty values for object ownership. The empty values for object ownership currently correlate to object writer.

SELECT * 
FROM aws_s3_buckets 
WHERE ownership_controls &&'{"BucketOwnerPreferred", "ObjectWriter"}' 
or ownership_controls is NULL;

Note: Buckets created via Console with ObjectWriter Object Ownership Settings and Buckets created via CLI without the Object Ownership option specified will result in an empty Object Ownership ownership_controls field. This seems to be a default setting and we're following up with AWS on this discrepancy.

aws s3api create-bucket --bucket test-json-bucket  --profile myprofile --region us-east-1
 
{
    "Location": "/test-json-bucket"
}

aws s3api get-bucket-ownership-controls --bucket test-json-bucket --profile myprofile

An error occurred (OwnershipControlsNotFoundError) when calling the GetBucketOwnershipControls operation: The bucket ownership controls were not found

S3 Grants (ACLs)

To look for grants within resource ACLs that are associated with S3 buckets with enabled ACLs (without disabled ACLs), we will cross reference our S3 buckets from the above query with S3 grants.

SELECT * 
FROM aws_s3_bucket_grants 
LEFT JOIN aws_s3_buckets 
	on aws_s3_bucket_grants.bucket_arn = aws_s3_buckets.arn 
WHERE ownership_controls && '{"BucketOwnerPreferred", "ObjectWriter"}'
or ownership_controls is NULL;

Contact Us

If you have comments or questions about S3 security or using CloudQuery, we would love to hear from you! Reach out to us on GitHub or Discord!

References

CloudQuery: AWS Source Plugin

AWS News Blog: Amazon S3 Security Changes Are Coming in April of 2023

AWS: S3 Block Public Access

AWS News Blog: Simplify Access Management for Data Stored in Amazon S3

AWS News Blog: Amazon S3 Block Public Access

AWS S3: Controlling ownership of objects and disabling ACLs for your bucket

Harnessing the Power of BigQuery and CloudQuery for Google Cloud Cost OptimizationIntroducing the Tailscale Source Plugin