Skip to content
Ask AI about this
Help improve this page

S3 access points should have block public access settings enabled

S3 access points provide named network endpoints with dedicated access policies, but each access point carries its own public access configuration independent of the parent bucket. An access point with permissive block public access settings can expose objects even when the bucket itself blocks public access. This is an easy misconfiguration to miss because operators often assume bucket-level settings cascade down.

Enabling all four block public access flags at the access point level ensures that no ACL or policy on the access point can grant public read or write permissions, regardless of what the policy text says.

Retrofit consideration

Enabling block public access on existing access points used by applications that rely on public ACLs or policies will break those access patterns immediately.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_s3_access_point.

resource "aws_s3_bucket" "this" {
  bucket        = "pofix-abc123"
  force_destroy = true
}

resource "aws_s3_access_point" "this" {
  bucket     = "example-bucket-abc123"
  account_id = "123456789012"
  name       = "pofix-abc123"

  public_access_block_configuration {
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }
}

What this control checks

In Terraform, access point public access block settings are configured via aws_s3control_access_point_public_access_block. All four arguments must be set to true: block_public_acls, block_public_policy, ignore_public_acls, and restrict_public_buckets. If this resource is omitted entirely, the control evaluates the access point's own configuration and fails. It also fails when any single flag is false or unset.

Common pitfalls

  • Account-level block does not satisfy access point evaluation

    Even if you enable S3 Block Public Access at the account level via aws_s3_account_public_access_block, this control evaluates the access point resource itself. You must still configure all four flags for each access point using aws_s3control_access_point_public_access_block.

  • Bucket-level block public access is separate

    The aws_s3_bucket_public_access_block resource applies to a bucket, not its access points. S3 uses the most restrictive union of bucket, access point, and account settings at runtime, but the control checks the access point configuration in isolation.

  • VPC-only access points still need block public access

    A VPC-only access point feels locked down, but network restriction and public access block are independent controls. vpc_configuration limits which network can reach the endpoint; it says nothing about whether the access point policy can grant public permissions. You still need aws_s3control_access_point_public_access_block with all four flags set to true.

  • Cross-account access points in AWS Organizations

    Access points created in delegated accounts may have different block public access defaults. SCPs and S3 delegated administrator policies don't automatically configure access point public access block settings, so each access point needs explicit configuration.

Audit evidence

Config rule evaluation results for s3-access-point-public-access-blocks showing all access points as COMPLIANT are the primary evidence. For per-access-point detail, aws s3control get-access-point output showing all four PublicAccessBlockConfiguration fields set to true works as point-in-time evidence. For large fleets, an AWS Config advanced query filtered by resource type AWS::S3::AccessPoint provides a fleet-wide snapshot. CloudTrail events for CreateAccessPoint and PutAccessPointPolicy demonstrate that blocks were in place at creation and that no subsequent policy change weakened them.

Framework-specific interpretation

PCI DSS v4.0: For card data environments, Requirements 1.3 and 7.2 together require that network access is restricted and that access to system components is appropriately scoped. An S3 access point without public access blocks can inadvertently serve cardholder data to unauthenticated requestors, regardless of how the parent bucket is configured.

NIST Cybersecurity Framework v2.0: PR.AA and PR.DS both apply here. PR.AA covers identity and access control: access points cannot be configured to allow anonymous or public access. PR.DS adds the data security angle, preventing objects from being unintentionally exposed through misconfigured access point policies or ACLs.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: s3_access_point_restrict_public_access

  • AWS Config Managed Rule: S3_ACCESS_POINT_PUBLIC_ACCESS_BLOCKS

  • Checkov Check: CKV_AWS_392

  • Powerpipe Controls: aws_compliance.control.s3_access_point_restrict_public_access, aws_compliance.control.s3_multi_region_access_point_public_access_blocked

  • Prowler Checks: s3_access_point_public_access_block, s3_multi_region_access_point_public_access_block

  • AWS Security Hub Control: S3.19

Last reviewed: 2026-03-09