Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Prohibit Public Write Access

This rule ensures that S3 buckets prohibit public write access to enhance data security.

RuleS3 buckets should prohibit public write access
FrameworkCISA-cyber-essentials
Severity
High

Rule Description:

According to the CISA-Cyber Essentials framework, S3 buckets should not allow public write access. Public write access allows unauthorized users to upload, modify, or delete objects within the S3 bucket, which can lead to potential data breaches or unauthorized data modifications.

Troubleshooting Steps (if applicable):

  2. 1.
    Verify the current access settings of your S3 bucket.
  4. 2.
    Check if any ACLs (Access Control Lists) or bucket policies explicitly allow public write access.
  6. 3.
    Review any existing IAM (Identity and Access Management) policies that provide public write access for the bucket.
  8. 4.
    Verify if any objects within the bucket have public write permissions.

Necessary Codes (if applicable):

There may be instances where you need to modify the bucket ACLs or policies to restrict public write access. Here are some code snippets that can be used to achieve this:

  2. 1.
    To update the S3 bucket ACL to remove public write access:
aws s3api put-bucket-acl --bucket YOUR_BUCKET_NAME --acl private
  2. 1.
    To update the S3 bucket policy to remove public write access:
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy YOUR_POLICY_FILE.json

Ensure to replace 

YOUR_BUCKET_NAME
with the name of your S3 bucket and 
YOUR_POLICY_FILE.json
with the path to a JSON file containing the updated bucket policy.

Remediation Steps:

  2. 1.
    Identify the S3 bucket(s) that need to be remediated based on the CISA-Cyber Essentials rule.
  4. 2.
    Review the current access settings, ACLs, and policies for each identified bucket.
  6. 3.
    Remove any existing ACLs or bucket policies that allow public write access.
  8. 4.
    Update the S3 bucket ACL to set the access level to private using the command mentioned above.
  10. 5.
    If needed, update the bucket policy to remove public write access using the command mentioned above.
  12. 6.
    Repeat the steps for all relevant S3 buckets within the environment.

Following these steps will help ensure that your S3 buckets prohibit public write access, aligning with the CISA-Cyber Essentials framework and mitigating the risk of unauthorized modifications or breaches.

Is your System Free of Underlying Vulnerabilities?
Find Out Now