I'm dealing with a Security Hub finding that says some of my S3 buckets should block public access. I have Block Public Access enabled both at the account level and on individual buckets, yet I'm still seeing these warnings. Could this be a false positive? What else should I check to ensure that public access is really turned off?
5 Answers
I've noticed that Security Hub's checks might not account for global settings when examining individual resources. It mainly looks at bucket configurations, not the account settings. If you've checked the "disable public buckets" option at the account level, you're probably fine. However, I recommend testing access directly by querying the bucket to see if you get a denial response. That might give you more confidence.
The finding you're seeing is likely a part of a defense in depth approach. The check for S3.8 regarding public access primarily assesses bucket levels and not account levels. You can also consider implementing resource control policies, although they might not be reflected in some Security Hub evaluations. I've found it helpful to review the bucket configurations carefully; if public access is enabled at the account level, having it turned on for an individual bucket doesn’t really add any security.
It's often best practice to disable the bucket-level controls if you have organization-wide settings in place to prevent these kinds of false positives. It simplifies things and enhances security.
If you want to be certain, you can create a publicly readable file in your bucket. If everything is configured correctly, you shouldn't be able to access it without credentials. This test can help confirm that public access is truly disabled.
It's technically a false positive, but keeping public access disabled at the account level is crucial. Even if you mistakenly enable it for an individual bucket, it won’t help much. It’s better to keep everything off to reduce any risk. Just be cautious and ensure you have a firm grip on those settings.
It might be worthwhile to keep that account-wide access setting off altogether, just to be safe. The chances of someone tweaking account settings while leaving individual bucket settings untouched are pretty slim.