S3 Block Public Access — Account-level
Description
Block Public Access settings enabled at the AWS account level.
⚠️ Risk Impact
Public S3 buckets are the dominant cloud data leak vector. Account-level Block Public Access prevents accidental public exposure regardless of bucket-level config.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
aws s3control put-public-access-block --account-id <id> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true.
💀 Real-World Attack Scenario
An engineer made an S3 bucket public 'for 5 minutes' to share a file. The setting persisted; the bucket contained training data with customer PII. Discovered 4 months later via researcher GitHub-style scan. Notification cost: $1.4M.
💰 Cost of Non-Compliance
Public S3 incidents in 2024: still avg $4.45M per case (IBM).
📋 Audit Questions
- 1.Account-level BPA enabled?
- 2.Which accounts?
- 3.Any S3 buckets allow public access?
🎯 MITRE ATT&CK Mapping
🏗️ Infrastructure as Code Fix
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}⚡ Common Pitfalls
- ⛔BPA at bucket level only — account level missed
- ⛔Disabling 'temporarily' that persists
- ⛔Different settings across accounts
📈 Business Value
Account-level BPA is the strongest defense against public S3 incidents.
⏱️ Effort Estimate
5 minutes per account
EchelonGraph monitors BPA status continuously
🔗 Cross-Framework References
Automate CIS AWS 2.1.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →