Rule: S3 Buckets should prohibit public read access
This rule ensures that S3 buckets do not allow public read access to enhance data security.
| Rule | S3 buckets should prohibit public read access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description
The rule/policy requires S3 buckets to prohibit public read access for CISA-cyber-essentials. This means that the S3 buckets should not allow any public access to their contents, ensuring that only authorized users have read permissions.
Public read access can expose sensitive information and pose a security risk, especially when dealing with data governed by the CISA Cyber Essentials framework. It is crucial to enforce this rule to maintain the confidentiality and integrity of the data stored in S3 buckets.
Troubleshooting Steps
- 1.
Check S3 Bucket Policies: Verify if there is an existing policy that allows public read access. If a policy is found, it needs to be modified to disallow public access.
- 2.
Check Access Control Lists (ACLs): Confirm that there are no ACLs granting public read access. If any ACLs are found allowing public read access, they should be modified accordingly.
- 3.
Analyze Logs and Audit Trails: Review the logs and audit trails of S3 bucket access to identify any unauthorized public read access. If any entries are found, further investigation is required to identify the root cause and take appropriate remedial actions.
Necessary Codes
If any existing policy or ACL allows public read access, you can use the following code snippets to modify them and enforce the prohibition of public access:
Example 1: S3 Bucket Policy prohibiting public read access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicReadAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": ""
}
}
}
]
}
Example 2: S3 Bucket ACL revoking public read access
aws s3api put-bucket-acl --bucket your-bucket-name --acl private
Step-by-Step Guide for Remediation
Follow the steps below to remediate the S3 buckets and prohibit public read access for CISA-cyber-essentials:
- 1.
Identify the S3 buckets that store data governed by the CISA Cyber Essentials framework.
- 2.
Review the existing S3 bucket policies by navigating to the AWS S3 Management Console and selecting the appropriate bucket.
- 3.
Modify the bucket policy to enforce the prohibition of public read access:
- Open the bucket policy editor.
- Copy and paste the provided code snippet (Example 1) into the editor.
- Replace "your-bucket-name" with the actual name of the bucket.
- Save the changes.
- 1.Review the ACLs assigned to the bucket:
- Navigate to the "Permissions" tab for the bucket in the AWS S3 Management Console.
- Select the "Access control list (ACL)" option.
- If any entries allow public read access, remove them.
- 1.
If there are multiple S3 buckets, repeat steps 2-4 for each bucket.
- 2.
Validate the changes and confirm that the S3 buckets no longer allow public read access by attempting to access the content from an unauthenticated source.
- 3.
Monitor the S3 buckets and review the logs and audit trails regularly to ensure ongoing compliance with the policy.
Note: It is recommended to involve security and compliance teams while implementing this rule to align with organizational policies and standards. Additionally, regular audits should be conducted to verify the effectiveness of the implemented controls.