Automatically scan for public Amazon S3 buckets and block public access

Storage Blog

This article discusses an automated solution to detect and block public Amazon S3 buckets in your AWS account, unless you explicitly want them to be public. The solution leverages AWS Security Hub, Amazon EventBridge, AWS Lambda, and Amazon CloudWatch.

Specifically, the article covers:

Setting up AWS Security Hub to detect public S3 buckets using the AWS Foundational Security Best Practices standard
Creating an AWS Lambda function to block public access to S3 buckets based on resource tags
Configuring an Amazon EventBridge rule triggered by Security Hub findings, with the Lambda function and a CloudWatch log group as targets
Setting up CloudWatch metrics and alarms to send notifications when public S3 buckets are detected
Conclusion and links to additional resources

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Nov 19
2024

AWS announces Block Public Access for Amazon Virtual Private Cloud

Nov 26
2025

Amazon S3 Block Public Access now supports organization-level enforcement

Nov 19
2024

Enhancing VPC Security with Amazon VPC Block Public Access

Mar 25
2026

Deploy VPC Block Public Access across AWS Organizations

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Automatically scan for public Amazon S3 buckets and block public access

Related articles