S3.1: Account-level S3 public access is not fully blocked

What does AWS Security Hub S3.1 check?

S3.1 evaluates the account-level S3 Block Public Access setting and fails unless all four options (BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets) are turned on for the whole account.

Why does S3.1 matter?

Account-level Block Public Access is the backstop that prevents any single bucket from being made public by mistake, regardless of its individual policy or ACL. Without it, one careless bucket policy or a misconfigured tool can expose data, and the per-bucket settings become the only line of defence.

How do I fix S3.1?

1. Open S3 → Block Public Access settings for this account and enable all four options.
2. If a genuine public bucket exists (e.g. a static site), serve it through CloudFront with Origin Access Control instead of public S3, then turn the account block fully on.
3. Set the same block at the bucket level too, so new buckets inherit a safe default.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'