Compliance

Block public access to AWS resources

One capability across S3, EC2, RDS, snapshots, queues and topics: make sure nothing is reachable from, or shareable with, the public internet unless you genuinely intend it.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: AutoScaling.5 CloudTrail.6 DMS.1 EC2.9 EC2.15 EC2.25 EC2.172 ECS.2 EFS.6 EMR.1 EMR.2 MSK.4 RDS.2 Redshift.1 S3.1 S3.2 S3.3 S3.8 S3.19 S3.24 SNS.4 SQS.3 SSM.4 SSM.7

Blocking public access: the basics

What does "public" actually mean across AWS services?

"Public" in AWS is not one setting. It is a property that shows up in a dozen different shapes: an S3 bucket with a public policy or ACL, an EC2 instance with a public IPv4 address, an RDS instance marked publicly accessible, a snapshot shared with all accounts, an SNS topic or SQS queue whose resource policy allows a wildcard principal, an SSM document shared publicly, an EMR or MSK cluster on a public subnet. Each service expresses public reachability in its own way, but the risk is identical: data or control planes that anyone on the internet can reach.

AWS Security Hub turns each of these into its own control, which is why a single estate can fail twenty or more public-access checks at once. S3.1, S3.2, S3.8 and S3.19 cover buckets and access points; EC2.9 and EC2.15 cover public IPs; RDS.2 covers publicly accessible databases; SNS.4 and SQS.3 cover open resource policies; SSM.4 covers shared documents. They look like separate problems on the report, but they are one capability: close the doors you did not mean to leave open.

The good news is that most public exposure is drift, not intent. A subnet that auto-assigns public IPs, a snapshot copied with the wrong sharing flag, a bucket policy pasted with a wildcard principal. The job is to find every resource that is reachable from the public internet, decide which handful are public on purpose, route those through a controlled front door such as CloudFront or a load balancer, and then shut the rest.

In this lesson you will learn how AWS expresses public reachability across storage, compute, databases, snapshots and messaging, how to find every publicly exposed resource in an account, and how to close them down without breaking the few that are public on purpose. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The decade of leaked buckets

Between 2017 and 2020, before account-level Block Public Access existed and before AWS started enabling it by default, publicly exposed S3 buckets were the dominant source of cloud data leaks: Dow Jones, Verizon, Accenture, the US Department of Defense and Capital One among them. The pattern was always the same, a resource that could be made public was made public by accident. AWS has since shipped account-level and VPC-level public-access blocks, but every resource created before those defaults still needs to be checked and shut explicitly.

Finding public exposure across an estate

Priya is the security lead at a scale-up preparing for its first SOC 2 audit. Security Hub shows public-access failures spread across S3, EC2, RDS and SNS in three accounts that pre-date the team's current guardrails.

Rather than work the findings one by one, she starts by listing what is actually reachable from the internet, so she can separate genuine public services from drift before changing anything.

Start with the resources that expose data directly. Publicly accessible RDS instances are a common and high-impact finding.

$ aws rds describe-db-instances --query 'DBInstances[?PubliclyAccessible==`true`].[DBInstanceIdentifier,Engine]' --output table

-------------------------------------------

| legacy-reporting | postgres |

| analytics-staging | mysql |

-------------------------------------------

# Two databases reachable from the internet. Neither needs to be.

Public databases are the highest-value target in this group. Fix these first.

How AWS decides a resource is publicdeep dive

Most public-access controls resolve to one of three mechanisms. The first is a network property: a public IPv4 address or a resource placed on a subnet that routes to an internet gateway, which is how EC2.9, EC2.15, RDS.2 and the EMR and MSK public-subnet checks work. The second is a resource policy with a wildcard principal, which is how SNS.4, SQS.3 and the public snapshot and SSM document checks work. The third is the S3 access model, where bucket and account Block Public Access settings sit in front of policies and ACLs.

Security Hub evaluates these through AWS Config, typically on a several-hour cycle, so a fix does not flip the finding to PASSED instantly. The control plane change itself is immediate, but the report catches up on the next evaluation. This matters when you are gathering audit evidence against a deadline.

The strongest controls are the account-wide and VPC-wide blocks: S3 account-level Block Public Access and VPC Block Public Access act as a backstop that no individual resource can override. Turning those on is the difference between checking that nothing is public today and guaranteeing that nothing can be made public tomorrow.

What is the impact of leaving resources public?

The direct impact is data exposure. A public database, bucket or queue is reachable by anyone who finds it, and internet-facing resources are found quickly by automated scanners. The overwhelming majority of public-exposure incidents were accidents, a resource that could be public was made public by a policy or flag nobody intended to set.

The second-order impact is blast radius. Every public IP and open endpoint is attack surface that has to be defended continuously. Closing public access shrinks that surface to the handful of front doors you actually operate, which are the ones you can monitor, rate-limit and put a WAF in front of.

On the compliance side, every modern framework, SOC 2, ISO 27001, HIPAA, PCI DSS and FedRAMP, expects evidence that data stores are not publicly accessible by default. A passing set of public-access controls across every account is the cheapest and most defensible artefact you can hand an auditor.

How do you close public access safely?

Work the capability as one loop rather than chasing individual findings. The order matters: find the legitimate exceptions before you start shutting things, so you do not take a live service offline.

1. Inventory everything reachable from the internet

Across services, list the resources that are public: buckets and access points, EC2 instances and subnets that assign public IPs, publicly accessible databases, shared snapshots, and SNS topics, SQS queues and SSM documents with wildcard policies. Treat this inventory as the source of truth, not the Security Hub finding count, because one resource can trigger several controls.

2. Separate genuine public services from drift

Most public exposure is unintended. For each resource, decide whether it is public on purpose. Genuine public content (a static site, a public download bucket) belongs behind CloudFront with Origin Access Control or behind a load balancer, never directly exposed. Everything else is drift and can be closed.

3. Close the doors, highest impact first

Remove public IPs, set databases to not publicly accessible, tighten resource policies to remove wildcard principals, and un-share snapshots. Prioritise resources that hold data over those that do not. Each change is a single API call per resource and takes effect immediately.

4. Ratchet it shut with account and VPC blocks

Enable account-level S3 Block Public Access and VPC Block Public Access so no individual resource can be made public again, and disable public IP auto-assignment on subnets. Back this with AWS Config rules and Service Control Policies so the blocks cannot be quietly undone.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'

Quick quiz

Question 1 of 5

Security Hub shows public-access failures across S3, EC2, RDS and SNS. What is the most efficient way to think about them?

Keep learning

Go deeper on how public reachability works across the services in this capability.

You can now treat public access as one capability rather than a scatter of findings: inventory what is reachable from the internet, separate the genuine public services and route them through a controlled front door, close the rest highest-impact first, and ratchet the estate shut with account-level and VPC-level blocks. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Blocking public access: the cost and risk view

A near-zero-cost capability that removes the largest class of cloud data-breach liability

Public access across AWS is the single biggest source of accidental data exposure, and almost every control in this group costs nothing in AWS spend to fix. Turning off a public IP, tightening a resource policy or un-sharing a snapshot does not change your bill. The cost sits entirely in the few exceptions: the buckets and endpoints that genuinely serve public traffic and need to move behind CloudFront or a load balancer first.

Frame each failing control as a line on the risk register rather than a compliance checkbox. A publicly accessible RDS instance holding customer records carries a far higher expected loss than a public IP on a throwaway test box, yet both show up as a single red finding. Map the failures to the data behind them and prioritise by exposure, not by control count.

The insurance maths is one-sided. The remediation is engineering time plus a small, bounded migration for the legitimate exceptions. The downside of leaving it is the documented cost of a public-exposure breach: regulatory fines, breach notification, forensics, legal fees and reputational damage.

This lesson is for the finance partner who sees a cluster of public-access findings on the security report and wants to know what the right response is and what it costs. It covers why most of these controls are free to fix, which exceptions carry a real migration cost, and how to turn a list of red findings into a risk-ordered remediation plan.

Fun fact

The decade of leaked buckets

How a finance partner frames the public-access decision

Priya is the finance partner supporting the platform team's SOC 2 push. The security report lands with twenty-three public-access failures spread across S3, EC2, RDS and SNS in three older accounts. Her instinct is not to wave through a blanket remediation budget; it is to ask what is actually behind each red finding. Closing a public IP or tightening a resource policy changes nothing on the AWS bill, so the spend question is narrow: only the handful of resources that genuinely serve public traffic carry a real migration cost when they move behind CloudFront or a load balancer.

She asks the team to map each failing control to the data sitting behind it. Two findings are publicly accessible RDS instances holding customer records, one is a public download bucket that is meant to be reachable, and the rest are public IPs on test boxes and a couple of open SNS policies. Priya reframes the list on the risk register: the two customer databases are high expected-loss items to close today at zero AWS cost, the public bucket is a small, bounded CloudFront migration to schedule, and the test-box IPs are low-value drift to sweep up. Her finance pack reads: 'Twenty-one findings close at no incremental spend; one legitimate public service needs a bounded migration; the only thing standing between us and a clean posture is engineering time, not budget.'

Why public access belongs on the risk register

The cost model here is asymmetric in a way that is rare for security work. Closing public access costs nothing in AWS spend, and leaving it open creates an unbounded tail risk. Each failing control is a resource where a future accident could expose its contents, and while the probability per event is low, the probability across all resources over years is not.

The documented cost of a public-exposure breach includes mandatory notification within tight regulatory windows, forensics and legal fees that routinely run into six and seven figures, and customer churn. Against that, the remediation is engineering time plus a bounded migration for the few legitimately public services. The finance role is to attach expected loss to each failing resource so the work is prioritised by risk, not by the order the report lists it.

What finance can do about the public-access gap

Finance cannot tighten a resource policy, but it owns the framing that turns a scatter of red findings into a risk-ordered plan with almost no incremental AWS spend and a clearly bounded set of exceptions. Three levers.

1. Separate the zero-cost closures from the one bounded migration

Make explicit that the overwhelming majority of public-access findings cost nothing in AWS spend to fix: removing a public IP, tightening a resource policy or un-sharing a snapshot does not move the bill. The only real cost sits in the few legitimately public services that need to move behind CloudFront or a load balancer. Budget that bounded migration as a discrete line and treat everything else as engineering time, so nobody can claim the whole capability is a spending decision.

2. Order the work by expected loss, not by finding count

A publicly accessible database holding customer records and a public IP on a throwaway test box both show up as a single red finding, but their expected loss differs by orders of magnitude. Ask the team to map each failing control to the data behind it and prioritise the data stores first. The metric that belongs on the cost-and-security review is the count of public-access findings weighted by the sensitivity of what they expose, not the raw total.

3. Require documented exceptions for intentionally public services

Any resource left reachable from the internet on purpose, the public download bucket, the marketing site origin, should carry a recorded, finance-visible reason and the controlled front door it sits behind. The distinction between 'we reviewed this and routed it through CloudFront deliberately' and 'we never noticed it was open' is exactly what makes the posture defensible at audit and in the aftermath of any breach.

Quick quiz

Question 1 of 5

A security report shows twenty public-access findings. As the finance partner, what is the right starting assumption about their AWS-spend cost to remediate?

Keep learning

Go deeper on how public reachability works across the services in this capability.

You have finished the finance view of blocking public access. You know the cost model is one-sided: closing the great majority of findings is free in AWS spend, only the genuinely public services carry a bounded migration cost, and the downside of leaving exposure open is the documented and unbounded cost of a breach. Next time a cluster of public-access findings lands, you will order them by expected loss, ring-fence the one real migration, and ask for the exceptions on the record rather than asking how much remediation will cost.

Back to the library

Blocking public access: the headline

Whether anything in the estate is reachable from the internet by accident

Public access is the category of risk that turns a configuration mistake into a headline. A bucket, a database or a queue that can be reached from the open internet is one bad change away from exposing data, and the report shows this as a scatter of separate findings across many services.

The leadership question is not "are we compliant today?" It is "if a deployment makes a mistake tomorrow, can it expose data to the internet?" The defensible end state is that public reachability is prevented by policy, with the small number of genuinely public services routed through a controlled front door, not left on the open internet.

None of this is a cost decision. Closing public access is free in AWS terms. It is a governance decision about whether exposure is prevented by design or only by everyone remembering not to make a mistake.

A short read for the leader who needs to know what public access exposes, why closing it is a governance decision rather than a budget one, and what a defensible end state looks like across the estate.

Fun fact

The decade of leaked buckets

What it looks like when public access is prevented by design, not luck

After a peer company made the news for a leaked customer database that turned out to be a publicly accessible RDS instance nobody meant to expose, the CEO asked the obvious question at the next review: could that happen to us? The honest answer at the time was that it depended on whether anyone had remembered to check, because public reachability across the estate was governed by habit rather than policy.

The team's response was to stop treating public access as a per-resource cleanup and start treating it as a guardrail. They inventoried everything reachable from the internet, routed the genuinely public services through CloudFront and a load balancer, closed the rest, and then turned on account-level S3 Block Public Access and VPC Block Public Access as backstops that no individual resource can override. The next time the CEO asked the question, the answer had changed from 'we believe so' to 'no, the platform prevents it by design, and the few intentional public front doors are documented.' That shift, from relying on everyone remembering not to make a mistake to making the mistake structurally hard, is the one-line confidence signal this control delivers, and it costs nothing in AWS spend to reach.

Why this is a board-level risk

Nearly every major cloud data breach that involved exposed storage came back to the same root cause: a resource that could be made public was made public by an internal change. Blocking public access is the control that makes that root cause structurally difficult, and the account-wide and VPC-wide blocks make it close to impossible.

The cost of getting this wrong is large and well documented, while the cost of fixing it is essentially engineering time. This is the rare class of control where the risk of inaction is severe and the cost of action is small, which is exactly the trade leadership should be quickest to approve.

The leadership move on public access

The executive handle is not to approve each closure individually; it is to require that public reachability is prevented by policy and that the small number of deliberately public services are routed through a controlled front door, on the record.

1. Set a deadline to reach a backstopped end state

Ask for a date by which the estate is inventoried, the genuine public services are behind CloudFront or a load balancer, the rest are closed, and account-level S3 Block Public Access plus VPC Block Public Access are enabled with Service Control Policies preventing them being undone. A backstop that no individual resource can override is the difference between checking nothing is public today and guaranteeing nothing can be made public tomorrow.

2. Ask for proof, not assurance

The proof that this is closed is not a verbal 'we are on it.' It is a passing set of public-access controls across every account plus evidence that the account-wide and VPC-wide blocks are on. Because Security Hub evaluates through AWS Config on a several-hour cycle, ask for that evidence with a little lead time before any audit deadline rather than the morning of.

3. Treat the genuinely public services as named, owned exceptions

A small number of services are public on purpose, and that is fine. The leadership requirement is that each is a deliberate, documented decision with an owner and a controlled front door, not an accident left on the open internet. The goal is not zero public services; it is zero unintended ones.

Quick quiz

Question 1 of 5

At a board review you ask whether a leaked-database incident like a competitor's could happen to your estate. What end state should you be looking for as the defensible answer?

Keep learning

Go deeper on how public reachability works across the services in this capability.

Two takeaways. Public access is the rare control where the risk of inaction is severe and the cost of action is essentially engineering time, so it is the trade you should be quickest to approve. And the defensible end state is not 'we checked and nothing is public today'; it is account-wide and VPC-wide blocks that make accidental exposure structurally hard, with the few deliberate public front doors documented and owned.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

EC2

ECS

ECS.2 High An ECS service auto-assigns public IPs to tasks

EFS

EFS.6 Medium Mount targets not in public-IP subnets

EMR

MSK

MSK.4 Critical An MSK cluster allows public access

RDS

RDS.2 High An RDS instance is publicly accessible from the internet

Redshift

Redshift.1 Critical A Redshift cluster is publicly accessible

S3

SNS

SNS.4 Critical An SNS topic policy allows public access

SQS

SQS.3 Critical An SQS queue policy allows public access

SSM

Part of the learning path Trim your network spend

Block public access to AWS resources

Blocking public access: the basics

The decade of leaked buckets

Finding public exposure across an estate

How AWS decides a resource is publicdeep dive

What is the impact of leaving resources public?

How do you close public access safely?

1. Inventory everything reachable from the internet

2. Separate genuine public services from drift

3. Close the doors, highest impact first

4. Ratchet it shut with account and VPC blocks

Quick quiz

Keep learning

Blocking public access: the cost and risk view

The decade of leaked buckets

How a finance partner frames the public-access decision

Why public access belongs on the risk register

What finance can do about the public-access gap

1. Separate the zero-cost closures from the one bounded migration

2. Order the work by expected loss, not by finding count

3. Require documented exceptions for intentionally public services

Quick quiz

Keep learning

Blocking public access: the headline

The decade of leaked buckets

What it looks like when public access is prevented by design, not luck

Why this is a board-level risk

The leadership move on public access

1. Set a deadline to reach a backstopped end state

2. Ask for proof, not assurance

3. Treat the genuinely public services as named, owned exceptions

Quick quiz

Keep learning

Controls this lesson covers

AutoScaling

CloudTrail

DMS

EC2

ECS

EFS

EMR

MSK

RDS

Redshift

S3

SNS

SQS

SSM

Related compliance lessons