HIGH S3 · CIS 2.1.5

Public S3 buckets

Check ID: aws-s3-001

AWS-S3-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for S3 buckets that do not have all four public access block settings enabled.

Why it matters

Publicly accessible S3 buckets have caused some of the largest data breaches in history. In 2017, Alteryx exposed 123 million American household records through a misconfigured public bucket, and Accenture leaked 40,000 plaintext passwords the same year. Automated scanners like GrayhatWarfare continuously scan for open buckets, meaning exposure is typically discovered by attackers within hours. AWS introduced S3 Block Public Access in 2018 specifically to prevent this class of misconfiguration. Enabling all four block public access settings at both the account and bucket level provides defense in depth - even if a bucket policy accidentally grants public access, the block settings override it.

Common causes

Public buckets typically originate from development or demo environments where access was opened for quick testing and never reverted. Static website hosting and CloudFront origin configurations sometimes require public access, leading teams to disable all four block settings instead of using OAI or OAC. Legacy applications built before S3 Block Public Access existed may rely on public bucket policies for functionality.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-public-access-block --bucket BUCKET_NAME --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

Remediation: Terraform

resource "aws_s3_bucket_public_access_block" "bucket" {
  bucket                  = "bucket-name"
  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
}

Compliance mapping

This check maps to CIS 2.1.5 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related S3 checks

LOW aws-s3-002

S3 bucket encryption

LOW aws-s3-003

S3 bucket versioning

LOW aws-s3-004

S3 bucket lifecycle policy

← All checks