Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures that S3 buckets do not allow public read access, maintaining data security.
| Rule | S3 buckets should prohibit public read access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description
This rule is aimed at ensuring that S3 buckets in an environment that adheres to the Federal Risk and Authorization Management Program (FedRAMP) Low security level, specifically Revision 4, do not have public read access. Public read access allows anyone, including unauthorized individuals, to view the contents of the bucket.
Remediation Steps
Step 1: Identify S3 Buckets with Public Read Access
- 1.Open the AWS Management Console.
- 2.Navigate to the S3 service.
- 3.On the S3 dashboard, you will see a list of all your buckets.
Step 2: Analyze ACLs and Bucket Policies
- 1.Select each bucket from the list that you want to check for public read access.
- 2.Within the bucket, go to the "Permissions" tab.
- 3.Under "Access control list (ACL)", ensure that no "grantee" has the "READ" permission set to "Everyone" or any "URI".
Step 3: Update Access Control Settings
- 1.For each bucket found to have public read access, go to the "Permissions" tab.
- 2.Under "Bucket policy", verify that there are no statements allowing public access OR public read access.
- 3.If such statements exist, edit the bucket policy and modify or remove them to prevent public read access. Here's an example of a policy that denies public read access:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::your-bucket-name/*" ], "Condition": { "StringNotEquals": { "aws:PrincipalOrgID": "your-organization-id" } } } ] }
Note: Replace "your-bucket-name" with the actual bucket name and "your-organization-id" with your organization's ID.
Step 4: Verify Changes
- 1.After updating the bucket policy or ACLs, ensure that public read access has been successfully removed.
- 2.Perform validation tests by attempting to access the S3 bucket's objects using an anonymous user or a non-authorized account. The access should be denied.
Troubleshooting
- 1.If the S3 bucket still allows public read access after making the necessary changes, ensure that you have saved and applied the updated bucket policy or ACLs.
- 2.Double-check the bucket policy or ACLs to ensure there are no conflicting rules or permissions that unintentionally grant public read access.
- 3.Verify that your AWS account has the necessary permissions to modify the bucket policy or ACLs.
Additional Considerations
- It is essential to regularly audit and review your S3 bucket permissions, especially when new buckets are created or when changes are made to existing ones. Monitor for any new public access and immediately revoke it.
- Implement AWS CloudTrail to record S3 bucket-related events, which can help in identifying any unauthorized access attempts or changes to permissions.