Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures S3 buckets do not allow public write access, maintaining data security.
| Rule | S3 buckets should prohibit public write access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Ensuring S3 Buckets Comply with FedRAMP Low Revision 4
Overview of the Policy
FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP Low Impact Level is designed for systems where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency's operations, assets, or individuals.
One requirement for storage resources, such as AWS S3 buckets, is to safeguard data by prohibiting public write access. This ensures that unauthorized users cannot modify or delete data that could compromise the integrity of the stored information.
Troubleshooting Steps
If you suspect that a bucket may be misconfigured to allow public write access, the troubleshooting steps include:
- 1.
Check Bucket Policies: Review the S3 bucket policies to ensure that there are no statements allowing
ors3:Put*
actions from public principals (s3:Delete*
)."*" - 2.
Inspect Access Control Lists (ACLs): Verify that the bucket ACLs do not grant
orWRITE
permissions to theFULL_CONTROL
orAllUsers
groups.AuthenticatedUsers - 3.
Use AWS Config: If AWS Config is set up, look for the
rule status. If this rule is non-compliant, it indicates that there's public write access enabled.s3-bucket-public-write-prohibited
Necessary Codes and Commands
To remediate the issue and prohibit public write access, you may need to perform the following:
1. Update Bucket Policy
{
"Version": "2012-10-17",
"Id": "BucketPolicy",
"Statement": [
{
"Sid": "DenyPublicWriteAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-12345678"
}
}
}
]
}
Replace
bucket-namevpc-12345678AWS CLI Command to Update Policy:
aws s3api put-bucket-policy --bucket bucket-name --policy file://policy.json
2. Modify Bucket ACL
To remove public write access through bucket ACLs, you can use the AWS Management Console or the AWS CLI. Using the Console is straightforward, following these steps:
- Navigate to the Amazon S3 console.
- Choose the bucket you want to update.
- Click on the 'Permissions' tab.
- Edit the ACL, and remove any grants that allow public write access.
For CLI, the following command will set the bucket ACL to private:
aws s3api put-bucket-acl --bucket bucket-name --acl private
Step by Step Guide for Remediation
Step 1: Check Current Access Settings
First, assess the current access level of the S3 bucket:
aws s3api get-bucket-acl --bucket bucket-name aws s3api get-bucket-policy --bucket bucket-name
Step 2: Update Access Settings
If you find any public write permissions, remove them by using the policy and ACL modification commands provided above.
Step 3: Confirm the Changes
After updating the policy and ACLs, confirm that the changes are in effect:
aws s3api get-bucket-acl --bucket bucket-name aws s3api get-bucket-policy --bucket bucket-name
Step 4: Monitor Compliance
Enable AWS Config to continuously monitor and record the compliance status of your S3 buckets with the
s3-bucket-public-write-prohibitedaws configservice put-config-rule --config-rule file://config-rule.json
Ensure
config-rule.jsons3-bucket-public-write-prohibitedConclusion
Following these guidelines and regularly reviewing your S3 bucket access settings can help you maintain compliance with FedRAMP Low requirements. It is crucial to continuously monitor and audit your cloud resources to prevent potential security risks.