Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures that S3 buckets do not allow public read access for better data security.
| Rule | S3 buckets should prohibit public read access |
| Framework | HIPAA |
| Severity | ✔ Medium |
Rule Description:
S3 buckets that handle HIPAA data should have an access policy configured to prohibit public read access. This policy ensures the confidentiality of the sensitive data stored in the buckets and helps to comply with HIPAA regulations.
Troubleshooting Steps:
If public read access is identified in an S3 bucket handling HIPAA data, the following troubleshooting steps can be taken:
- 1.Verify the current bucket policy or access control list (ACL) to confirm if there is a security misconfiguration allowing public read access.
- 2.Review the IAM user or role permissions associated with the bucket to ensure there are no overly permissive policies granting public access.
- 3.Check if any objects within the bucket have individual permissions allowing public access. It is essential to review and modify the permissions for these objects.
- 4.If the public read access is still present after verifying the previous steps, check if there are any AWS Lambda functions, Amazon S3 events, or other AWS services that grant public read access to the bucket.
Necessary Codes:
In order to enforce the prohibition of public read access for HIPAA S3 buckets, a bucket policy with explicit deny statements can be created. Below is an example of a bucket policy denying public read access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicRead",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgID": "YOUR_AWS_ORGANIZATION_ID"
}
}
}
]
}
Make sure to replace
"bucket-name"Remediation Steps:
To remediate the S3 bucket and enforce the prohibition of public read access, follow these steps:
- 1.Open the AWS Management Console and navigate to the S3 service.
- 2.Identify the S3 bucket used for HIPAA data storage.
- 3.Click on the bucket name to access the bucket's properties.
- 4.Go to the "Permissions" tab.
- 5.Review the bucket policy and access control list (ACL).
- 6.If an ACL is used to control access, remove any entries allowing public access. Ensure that only authorized users have access to the bucket.
- 7.If a bucket policy is in use, edit the policy by clicking on the "Edit bucket policy" button.
- 8.Modify the policy to include the explicit deny statements mentioned above to prevent public read access.
- 9.Save the changes to the bucket policy.
- 10.Verify the changes by testing access from a public context, ensuring the denial of access to the bucket is enforced.
- 11.Repeat the steps for any other S3 buckets handling HIPAA data.
By following these steps, you can ensure that S3 buckets storing HIPAA data do not allow public read access, thus maintaining the security and compliance of the data.