S3.24: A Multi-Region Access Point can expose data publicly

What does AWS Security Hub S3.24 check?

S3.24 checks that all four Block Public Access settings are enabled on each S3 Multi-Region Access Point. It reports FAILED if any of BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy or RestrictPublicBuckets is disabled on the MRAP.

Why does S3.24 matter?

An MRAP concentrates access to buckets across several Regions behind one endpoint, so a weakened BPA setting there can expose data globally through a single point — hence the Critical rating. Like ordinary access points, MRAP block-public-access settings are enabled by default and cannot be changed after creation, so a non-compliant MRAP reflects a deliberate creation-time choice.

How do I fix S3.24?

1. List MRAPs and read each one's PublicAccessBlock configuration.
2. Lock down the underlying buckets first with bucket-level Block Public Access.
3. Because MRAP BPA is immutable, delete and recreate the MRAP with all four settings enabled, then cut traffic over.
4. Enforce account-level BPA and an SCP so the finding cannot return.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'