Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures S3 buckets do not allow public read access, critical for foundational security.
| Rule | S3 buckets should prohibit public read access |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Critical |
Rule Description:
The rule ensures that S3 buckets in an AWS environment are configured to prohibit public read access. This is in compliance with the AWS Foundational Security Best Practices, which aim to enhance the security posture of AWS resources.
Policy Details:
The policy can be summarized as follows:
- 1.Policy Name: S3BucketPublicReadProhibited
- 2.Policy Type: AWS Config Managed Rule
- 3.Description: This policy ensures that S3 buckets do not have public read access. It checks the bucket and its associated Access Control Lists (ACLs) to verify that public read permissions are not granted.
- 4.Compliance: Must comply with the AWS Foundational Security Best Practices
Troubleshooting Steps:
If there is an issue with compliance or if the S3 bucket has public read access, follow these troubleshooting steps:
- 1.Step 1: Identify the affected S3 bucket by checking the AWS Config compliance dashboard or using the AWS CLI commands.
- 2.Step 2: Review the bucket's permissions and access control settings to identify any misconfigurations.
- 3.Step 3: Check the bucket's Access Control List (ACL) to ensure that public read access is not granted.
- 4.Step 4: Review the bucket's bucket policy, if any, to confirm that public read access is appropriately denied.
- 5.Step 5: If required, update the bucket's ACL or bucket policy to revoke public read access and bring it into compliance.
- 6.Step 6: Validate the changes made by rerunning compliance checks or using the AWS CLI commands.
Necessary Codes:
No specific code is required to adhere to this policy. However, the following AWS CLI commands can be used for troubleshooting and remediation if necessary.
To check if an S3 bucket has public read access using the AWS CLI:
aws s3api get-bucket-acl --bucket <bucket-name>
To update the bucket's ACL to remove public read access:
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
To check the bucket policy associated with the S3 bucket using the AWS CLI:
aws s3api get-bucket-policy --bucket <bucket-name>
To update the bucket policy and deny public read access:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://bucket_policy.json
Note: Replace
<bucket-name>Remediation Steps:
Follow these steps to remediate an S3 bucket with public read access:
- 1.Step 1: Identify the S3 bucket with public read access using the troubleshooting steps mentioned above.
- 2.Step 2: Run the AWS CLI command to update the bucket's ACL and remove public read access:
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
- 1.Step 3: If there is a bucket policy associated with the bucket that allows public read access, update the bucket policy using the AWS CLI or AWS Management Console to explicitly deny public read access.
- 2.Step 4: Validate the changes made by checking the bucket's permissions and running compliance checks.
By following these steps, the S3 bucket should be remediated to comply with the AWS Foundational Security Best Practices.