S3.8: Buckets can still be made public; Block Public Access is off

What does AWS Security Hub S3.8 check?

S3.8 checks that all four Block Public Access settings are enabled at the bucket level. It reports FAILED if any of BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy or RestrictPublicBuckets is off, leaving a path for the bucket to be made public.

Why does S3.8 matter?

Public S3 buckets were the dominant source of cloud data leaks for years — Verizon, Accenture, Capital One and more all traced back to the same handful of toggles being left open. With BPA off, a single careless ACL or policy edit silently exposes objects to the entire internet. Turning all four on makes an accidental public grant fail closed.

How do I fix S3.8?

1. Run put-public-access-block on each failing bucket with all four settings set to true.
2. For buckets that genuinely need to serve content publicly, front them with CloudFront plus Origin Access Control instead of opening the bucket.
3. Enable account-level Block Public Access, and add a Config rule or SCP so the toggles cannot be reopened.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'