S3 Public Access Prevention

Policy Description

What this SCP does

This Service Control Policy (SCP) prevents S3 buckets from being configured with public access, reducing the risk of accidental data exposure. This is crucial for preventing data breaches through misconfigured storage resources.

The policy specifically blocks attempts to set a bucket's ACL to 'public-read', which would make the bucket content readable by anyone on the internet. This helps prevent accidental data exposure caused by misconfigured S3 buckets.

Validation Strategy

How to test this SCP works

To validate this SCP, try to create a bucket and then attempt to make it publicly accessible.

Valid test: Create an S3 bucket (should succeed)
Invalid test: Set the bucket ACL to 'public-read' (should be denied)

We expect attempts to set public read access to be denied with an AccessDenied error. This confirms that the SCP is preventing public exposure of S3 data.

SCP Policy & Validation Scenarios

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicReadACL",
      "Effect": "Deny",
      "Action": "s3:PutBucketAcl",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "public-read"
        }
      }
    }
  ]
}

# Create a test bucket
aws s3 mb s3://test-bucket-$(date +%s)

# Try to make the bucket public (this should be denied)
aws s3api put-bucket-acl \
    --bucket test-bucket-123 \
    --acl public-read

# Clean up
aws s3 rb s3://test-bucket-123

import boto3
import time

# Initialize S3 client
s3_client = boto3.client('s3')

# Create a test bucket
try:
  bucket_name = f"test-bucket-{int(time.time())}"
  s3_client.create_bucket(Bucket=bucket_name)
  print(f"Created test bucket: {bucket_name}")
  
  # Try to make the bucket public (this should be denied)
  try:
    s3_client.put_bucket_acl(
      Bucket=bucket_name,
      ACL='public-read'
    )
    print("WARNING: Successfully made bucket public - SCP is NOT restricting as expected")
  except Exception as e:
    print(f"Expected error if SCP is working: {e}")
  
  # Clean up
  s3_client.delete_bucket(Bucket=bucket_name)
  print(f"Cleaned up test bucket: {bucket_name}")
except Exception as e:
  print(f"Error in test: {e}")