Rule: S3 Buckets should Prohibit Public Read Access
This rule ensures S3 buckets do not allow public read access to maintain data security.
| Rule | S3 buckets should prohibit public read access |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ Medium |
Ensuring S3 Buckets Prohibit Public Read Access for AWS Audit Manager Control Tower Guardrails
Rule Description
In an AWS environment, maintaining the confidentiality and security of data stored in S3 buckets is a top priority. One of the key aspects of securing S3 buckets is to ensure that they do not allow public read access, unless intentionally designed to do so (e.g., hosting a public website). The AWS Audit Manager and Control Tower provide Guardrails that can automatically enforce and audit this security best practice.
This rule focuses on prohibiting public read access to prevent unauthorized access to data. It stipulates that S3 buckets must be configured to reject any requests that allow public read access, ensuring that only explicitly authorized users and roles can access the contents.
Troubleshooting Steps
If an S3 bucket is found to offer public read access, the following steps should be used to remediate the issue:
1. Identify Public Buckets
Run the following AWS CLI command to list all the S3 buckets and check their access status:
aws s3api list-buckets --query 'Buckets[].Name' --output text | xargs -n1 -t aws s3api get-bucket-acl --bucket
2. Evaluate Bucket Policies
For each identified public bucket, check the bucket policy:
aws s3api get-bucket-policy --bucket BUCKET-NAME
3. Block Public Access
Block public access to the bucket using the AWS Management Console or AWS CLI:
AWS Management Console:
- Go to the Amazon S3 console.
- Select the bucket you want to modify.
- Click on the 'Permissions' tab.
- Click on 'Block public access'.
- Check 'Block all public access' and save changes.
AWS CLI:
aws s3api put-public-access-block \ --bucket BUCKET-NAME \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
4. Modify Bucket Policies
If there is a bucket policy allowing public read access, modify the policy to remove any statements granting
s3:GetObjectPrincipal*Example removal using AWS CLI:
aws s3api put-bucket-policy --bucket BUCKET-NAME --policy file://new-policy.json
Remediation Guide
Here's a step-by-step guide to ensure your S3 buckets prohibit public read access:
Step 1: Check Bucket Access
Audit your buckets to identify if any are publicly accessible. Use AWS CLI or AWS Management Console for this purpose.
Step 2: Block Public Access
Utilize the bucket settings to block new public ACLs and any public bucket policies.
Step 3: Modify Policies
Carefully edit bucket policies to ensure they do not grant public read access. This involves removing or editing specific policy statements.
Step 4: Validate Changes
After you have made changes, validate that they have been properly implemented by testing the bucket accessibility. Try to access the bucket using a different account that should not have access.
Step 5: Monitor and Automate
Establish monitoring and auditing mechanisms, such as AWS Control Tower Guardrails, to detect and respond to changes in bucket access policies automatically. Also, utilize AWS Audit Manager to maintain continuous compliance.
Summary
Prohibiting public read access for S3 buckets is a critical security measure that can protect your data from unauthorized access. By using AWS features like Control Tower Guardrails and Audit Manager, you can automate the enforcement and review of these policies. The troubleshooting and remediation steps outlined above should be part of your standard practices for S3 bucket security management.