AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Fix: Public S3 Buckets Flagged by Prowler / Security Hub

2026-06-20 2 min read

A publicly accessible S3 bucket is the finding that shows up first and matters most in almost every first scan. It maps to CIS 1.20 and Security Hub [S3.1] (account-level Block Public Access), [S3.2]/[S3.3] (public read/write prohibited), and [S3.8] (bucket-level Block Public Access).

Practitioner guidance, not legal or audit advice.

Fix it account-wide first

The highest-leverage fix is the account-level S3 Block Public Access setting — it overrides any bucket or object ACL that tries to make data public:

aws s3control put-public-access-block \
  --account-id <account-id> \
  --public-access-block-configuration \
  BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

One command, every bucket covered, going forward. Do this in every account via an SCP or Config remediation so it can't drift.

Then per-bucket for anything still flagged

aws s3api put-public-access-block \
  --bucket <bucket-name> \
  --public-access-block-configuration \
  BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

The bucket that's public on purpose

Some buckets should be reachable — a static site, public assets. Don't blanket-remediate them into an outage. The right pattern:

  • Serve them through CloudFront with Origin Access Control (OAC), keeping the bucket itself private.
  • If a bucket genuinely must be public, document it as an exception with a compensating control. For CPS 234, a tracked, justified exception is a pass; an unexplained public bucket is a finding.

Keep it fixed

Add the Config rule s3-bucket-public-read-prohibited (and -write-) and s3-account-level-public-access-blocks to catch regressions, and consider auto-remediation — but exclude tagged exceptions so you don't break the intentional ones.

Why it matters for CPS 234

Public data is the cleanest possible "implementation of controls" failure (CPS 234 Para 21). The evidence an auditor wants is the Config compliance timeline showing Block Public Access held across the period — see what auditors ask for.

Primary sources: S3 Block Public Access · CIS in Security Hub

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts