turbot/aws_perimeter
Loading controls...

Control: S3 account settings should block public access

Description

Ensure S3 buckets block public policy and ACL access at the account level.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.s3_public_access_block_account

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.s3_public_access_block_account --share

SQL

select
'arn' || ':' || 'aws' || ':::' || account_id as resource,
case
when block_public_acls
and block_public_policy
and ignore_public_acls
and restrict_public_buckets then 'ok'
else 'alarm'
end as status,
case
when block_public_acls
and block_public_policy
and ignore_public_acls
and restrict_public_buckets then 'Account level public access blocks enabled.'
else 'Account level public access not enabled for: ' || concat_ws(
', ',
case
when not (block_public_acls) then 'block_public_acls'
end,
case
when not (block_public_policy) then 'block_public_policy'
end,
case
when not (ignore_public_acls) then 'ignore_public_acls'
end,
case
when not (restrict_public_buckets) then 'restrict_public_buckets'
end
) || '.'
end as reason,
region,
account_id
from
aws_s3_account_settings;

Tags