Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets should Prohibit Public Read Access

This rule ensures S3 buckets do not allow public read access to maintain data security.

RuleS3 buckets should prohibit public read access
FrameworkAWS Audit Manager Control Tower Guardrails
Severity
Medium

Ensuring S3 Buckets Prohibit Public Read Access for AWS Audit Manager Control Tower Guardrails

Rule Description

In an AWS environment, maintaining the confidentiality and security of data stored in S3 buckets is a top priority. One of the key aspects of securing S3 buckets is to ensure that they do not allow public read access, unless intentionally designed to do so (e.g., hosting a public website). The AWS Audit Manager and Control Tower provide Guardrails that can automatically enforce and audit this security best practice.

This rule focuses on prohibiting public read access to prevent unauthorized access to data. It stipulates that S3 buckets must be configured to reject any requests that allow public read access, ensuring that only explicitly authorized users and roles can access the contents.

Troubleshooting Steps

If an S3 bucket is found to offer public read access, the following steps should be used to remediate the issue:

1. Identify Public Buckets

Run the following AWS CLI command to list all the S3 buckets and check their access status:

aws s3api list-buckets --query 'Buckets[].Name' --output text | xargs -n1 -t aws s3api get-bucket-acl --bucket

2. Evaluate Bucket Policies

For each identified public bucket, check the bucket policy:

aws s3api get-bucket-policy --bucket BUCKET-NAME

3. Block Public Access

Block public access to the bucket using the AWS Management Console or AWS CLI:

AWS Management Console:

  • Go to the Amazon S3 console.
  • Select the bucket you want to modify.
  • Click on the 'Permissions' tab.
  • Click on 'Block public access'.
  • Check 'Block all public access' and save changes.

AWS CLI:

aws s3api put-public-access-block \
    --bucket BUCKET-NAME \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

4. Modify Bucket Policies

If there is a bucket policy allowing public read access, modify the policy to remove any statements granting

s3:GetObject
permission to
Principal
*
.

Example removal using AWS CLI:

aws s3api put-bucket-policy --bucket BUCKET-NAME --policy file://new-policy.json

Remediation Guide

Here's a step-by-step guide to ensure your S3 buckets prohibit public read access:

Step 1: Check Bucket Access

Audit your buckets to identify if any are publicly accessible. Use AWS CLI or AWS Management Console for this purpose.

Step 2: Block Public Access

Utilize the bucket settings to block new public ACLs and any public bucket policies.

Step 3: Modify Policies

Carefully edit bucket policies to ensure they do not grant public read access. This involves removing or editing specific policy statements.

Step 4: Validate Changes

After you have made changes, validate that they have been properly implemented by testing the bucket accessibility. Try to access the bucket using a different account that should not have access.

Step 5: Monitor and Automate

Establish monitoring and auditing mechanisms, such as AWS Control Tower Guardrails, to detect and respond to changes in bucket access policies automatically. Also, utilize AWS Audit Manager to maintain continuous compliance.

Summary

Prohibiting public read access for S3 buckets is a critical security measure that can protect your data from unauthorized access. By using AWS features like Control Tower Guardrails and Audit Manager, you can automate the enforcement and review of these policies. The troubleshooting and remediation steps outlined above should be part of your standard practices for S3 bucket security management.

Is your System Free of Underlying Vulnerabilities?
Find Out Now