Skip to content
Ask AI about this
Help improve this page

S3 Multi-Region Access Points should have block public access settings enabled

S3 Multi-Region Access Points aggregate access across buckets in multiple AWS Regions. A single misconfigured public access setting on one of these access points can expose data from every underlying bucket simultaneously, across every Region the access point spans. The blast radius is far larger than a single-bucket misconfiguration.

Blocking public access at the Multi-Region Access Point level acts as a guardrail that overrides permissive bucket policies or ACLs on the underlying buckets. Without it, a future bucket policy change or ACL grant could silently open data to the internet through the access point.

Retrofit consideration

Changing block public access settings on an existing Multi-Region Access Point may break applications that rely on public access through the access point. Audit active consumers before enabling.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_s3control_multi_region_access_point.

resource "aws_s3control_multi_region_access_point" "this" {
  account_id = "123456789012"

  details {
    name = "pofix-abc123"

    public_access_block {
      block_public_acls       = true
      block_public_policy     = true
      ignore_public_acls      = true
      restrict_public_buckets = true
    }

    region {
      bucket = "example-bucket-abc123"
    }
  }
}

What this control checks

In Terraform, the aws_s3control_multi_region_access_point resource has a details block containing a nested public_access_block. All four arguments inside it must be true to pass: block_public_acls, block_public_policy, ignore_public_acls, and restrict_public_buckets. Setting any of them to false fails the control. Declare the block explicitly with all four values set to true so intent is visible in code review.

Common pitfalls

  • Defaults can mask intent in Terraform

    Omitting public_access_block from the details block in aws_s3control_multi_region_access_point leaves intent implicit. A future refactor or import can introduce drift without any obvious signal. Declare the block explicitly with all four values set to true.

  • Changing settings may require replacement in Terraform

    Depending on AWS API and provider behavior, changes to public_access_block on a Multi-Region Access Point can require resource replacement. Review Terraform plans carefully for force-replacement (-/+) before applying.

  • Bucket-level settings still matter

    The Multi-Region Access Point's block public access settings are evaluated independently of the underlying bucket's settings. The most restrictive setting wins, but that only applies when traffic routes through the access point. If the access point blocks public access but an underlying bucket does not, direct access to that bucket bypasses the access point entirely and could still be public. This control only validates the access point layer.

Audit evidence

AWS Config rule evaluation results should show each S3 Multi-Region Access Point as COMPLIANT. The CLI command aws s3control get-multi-region-access-point returns the PublicAccessBlock configuration; all four fields should be true. S3 console screenshots of the Multi-Region Access Point's "Block public access" panel with all four checkboxes enabled are also acceptable.

If Security Hub is in use, the finding for this control should show PASSED across all accounts and Regions where Multi-Region Access Points exist. CloudTrail logs for CreateMultiRegionAccessPoint and related management API calls confirm creation and any subsequent changes.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: s3_multi_region_access_point_public_access_blocked

  • AWS Config Managed Rule: S3_ACCESS_POINT_PUBLIC_ACCESS_BLOCKS

  • Checkov Check: CKV_AWS_392

  • Powerpipe Control: aws_compliance.control.s3_multi_region_access_point_public_access_blocked

  • Prowler Checks: s3_access_point_public_access_block, s3_multi_region_access_point_public_access_block

  • AWS Security Hub Controls: S3.19, S3.24

Last reviewed: 2026-03-09