s3-bucket-public-read-prohibited - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

s3-bucket-public-read-prohibited

Checks if your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

The rule is compliant when both of the following are true:

  • The Block Public Access setting restricts public policies or the bucket policy does not allow public read access.

  • The Block Public Access setting restricts public ACLs or the bucket ACL does not allow public read access.

The rule is noncompliant when:

  • If the Block Public Access setting does not restrict public policies, Amazon Config evaluates whether the policy allows public read access. If the policy allows public read access, the rule is noncompliant.

  • If the Block Public Access setting does not restrict public bucket ACLs, Amazon Config evaluates whether the bucket ACL allows public read access. If the bucket ACL allows public read access, the rule is noncompliant.

Identifier: S3_BUCKET_PUBLIC_READ_PROHIBITED

Resource Types: AWS::S3::Bucket

Trigger type: Configuration changes and Periodic

Amazon Web Services Region: All supported Amazon regions

Parameters:

None

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.