Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures S3 buckets restrict public read access for better security.
| Rule | S3 buckets should prohibit public read access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
S3 Buckets Prohibit Public Read Access for FedRAMP Low Revision 4
Overview
FedRAMP Low Revision 4 compliance requires that all Amazon S3 buckets should prohibit public read access to ensure data security and privacy. Public read access allows anyone on the internet to view or download content from an S3 bucket, which can lead to unauthorized access to sensitive information.
As part of this rule, AWS account administrators need to make sure that none of their S3 buckets are inadvertently open to the public.
Rule Description
Amazon S3 bucket policies and Access Control Lists (ACLs) should be configured to deny public read access. FedRAMP Low Rev. 4 demands the enforcement of a "least privilege" policy, which means providing just enough access to users to perform their duties.
A detailed description of the rule would entail:
- Bucket policies must not allow principal
with actions like*
.s3:GetObject - ACLs must not have the
grant permission set.public-read - The S3 Block Public Access feature should be enabled to block existing public access and to ensure that any future policies do not inadvertently grant public read access.
Remediation Steps
Review and Modify Bucket Policies
- 1.Access the AWS Management Console.
- 2.Navigate to the S3 service section.
- 3.Click on the bucket you need to modify.
- 4.Under the 'Permissions' tab, locate the 'Bucket policy' button.
- 5.Review the policy for statements granting
permission tos3:GetObject
(all principals).* - 6.Modify any statements to restrict access to specific IAM roles or remove them entirely.
Example of a statement that allows public access:
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*"
}
Review and Modify Bucket ACLs
- 1.Within the S3 bucket permissions tab, locate the 'Access Control List (ACL)' section.
- 2.Make sure that there are no grantees with 'List objects' or 'Read bucket permissions' set to 'Everyone'.
Enable Block Public Access settings
- 1.Within the S3 bucket permissions tab, locate the 'Block Public Access' settings.
- 2.Click the 'Edit' button.
- 3.Enable all options to block new and existing public access:
- Block new public ACLs and uploading public objects
- Remove public access granted through public ACLs
- Block new public bucket policies
- Block public and cross-account access if the bucket has a public policy
- 4.Click 'Save changes'.
Using AWS CLI for Remediation
If you have numerous buckets or prefer to automate the remediation process, you can use the AWS Command Line Interface (CLI).
- Review the bucket policy and ACL settings using the CLI:
aws s3api get-bucket-policy --bucket BUCKET_NAME aws s3api get-bucket-acl --bucket BUCKET_NAME
- Update the bucket policy to remove public access:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy 'POLICY_JSON'
- Use the below commands to enable Block Public Access settings:
aws s3api put-public-access-block --bucket BUCKET_NAME --public-access-block-configuration '{
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}'
Conclusion
Carefully manage S3 bucket permissions to ensure compliance with FedRAMP Low Rev. 4 requirements. Regular audits and the use of AWS's proactive security tools will help maintain the secure state of your S3 resources.