S3.19: An S3 access point can expose the bucket publicly

What does AWS Security Hub S3.19 check?

S3.19 checks that all four Block Public Access settings are enabled on each S3 access point. It reports FAILED if any single setting is disabled, because an access point with weakened BPA can expose the bucket it fronts.

Why does S3.19 matter?

An access point is an alternate front door to a bucket, so a single disabled BPA setting on it can open data publicly even when the underlying bucket is locked down — which is why the control is rated Critical. Because access point BPA is immutable after creation, a non-compliant access point can only have been created that way deliberately.

How do I fix S3.19?

1. List access points with list-access-points and inspect each one's PublicAccessBlock configuration.
2. Because BPA cannot be edited after creation, create a replacement access point with all four settings enabled.
3. Repoint consumers at the new access point and delete the non-compliant one.
4. Enforce account-level Block Public Access so any access point inherits safe defaults.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'