Inside an AWS Private S3 bucket, a specific object can be made public by using any of the following steps:
- Update the object's access control list (ACL) using the Amazon S3 console
- Update the object's ACL using the AWS Command Line Interface (AWS CLI)
In order to make sure that a specific object is not turned public inside an otherwise private S3 bucket, we can make use of the AWS Block Public Access Settings , specifically the
IgnorePublicAcls (Block public access to buckets and objects granted through any access control lists (ACLs)) boolean.
Netskope SPM allows to write custom rule for checking the above configuration for each S3 bucket:
S3Bucket should have Access eq "Private"