Ensure S3 Bucket Policy Rule

Rule Description:

Troubleshooting Steps:

2. 1.
   Validate if the S3 bucket policy exists and has the required deny statement for HTTP requests targeting cis_v150.
4. 2.
   Check if the HTTP requests are being denied by accessing the bucket resources using HTTP.
6. 3.
   Review any error messages or logs related to denied HTTP requests.

Necessary Codes:

Step-by-step Guide for Remediation:

2. 1.
   Open the AWS Management Console and navigate to the S3 service.
4. 2.
   From the list of buckets, select the bucket in question that requires the policy update.
6. 3.
   Click on the "Permissions" tab and then choose "Bucket Policy."
8. 4.
   Review the existing bucket policy. If there is no existing policy, proceed to step 6.
10. 5.
    Edit the existing policy and add the deny statement for HTTP requests targeting cis_v150. The policy JSON should resemble the following:

{
    "Version": "2012-10-17",
    "Id": "DenyHTTPRequestsForCis_V150",
    "Statement": [
        {
            "Sid": "DenyHTTP",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceProtocol": "HTTP",
                    "aws:SourceCidrIp": "cis_v150"
                }
            }
        }
    ]
}

2. 1.
   If there is no existing policy, create a new policy that includes the above deny statement. Copy and paste the policy JSON into the bucket policy editor.
4. 2.
   Save the changes by clicking on the "Save" button.
6. 3.
   Test whether the bucket policy is working by attempting to access the bucket resources using an HTTP request targeting cis_v150. It should be denied.
8. 4.
   Monitor the bucket for any denied access attempts or errors related to HTTP requests.
10. 5.
    If necessary, adjust the policy further or consult AWS support for further assistance.