Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets do not allow public write access for enhanced security measures.
| Rule | S3 buckets should prohibit public write access |
| Framework | HIPAA |
| Severity | ✔ High |
Rule Description:
This rule ensures that S3 buckets storing HIPAA compliant data prohibit public write access. This is crucial for maintaining the security and privacy of sensitive healthcare information stored in S3 buckets. Limiting write access to authorized users or applications helps prevent accidental or malicious alteration or deletion of data.
Troubleshooting Steps:
If public write access is mistakenly allowed for an S3 bucket holding HIPAA data, follow these troubleshooting steps to rectify the issue:
- 1.Identify the affected S3 bucket(s): Use the AWS Management Console, AWS CLI, or AWS SDKs to list the S3 buckets in your account.
- 2.Check bucket permissions: Review the bucket's access control list (ACL) to determine if it allows public write access.
- 3.Verify bucket policies: Examine the bucket policies associated with the affected S3 bucket, if any, to ensure there are no allowances for public write access.
- 4.Review bucket policies on linked IAM roles: If the bucket has any AWS Identity and Access Management (IAM) roles linked to it, review the policies associated with these roles to ensure they do not grant public write access.
- 5.Check bucket-level block public access settings: Validate the block public access settings on the bucket to verify that public write access is disabled.
Necessary Code:
To enforce the policy of prohibiting public write access for an S3 bucket:
Bucket Policy:
You can attach this policy to the S3 bucket to enforce the prohibition of public write access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicWriteAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
}
]
}
Note: Replace "bucket-name" with the name of your S3 bucket.
AWS CLI Command:
To apply the bucket policy using the AWS Command Line Interface (CLI), execute the following command:
aws s3api put-bucket-policy --bucket bucket-name --policy file://path/to/policy.json
Note: Replace "bucket-name" with the name of your S3 bucket and "path/to/policy.json" with the path to the policy file on your local system.
Remediation Steps:
To remediate an S3 bucket that allows public write access for HIPAA data:
- 1.Identify the affected S3 bucket(s) using the troubleshooting steps mentioned above.
- 2.Attach or update the bucket policy with the necessary code provided, ensuring the
is set to"Effect"
for the"Deny""Action"
and allowing only"s3:PutObject"
with value"aws:SecureTransport"
as a condition."false" - 3.Verify the applied bucket policy to confirm that public write access is now denied.
- 4.Test the bucket to ensure authorized users or applications can still write to it while public write access is strictly prohibited.
Implementing these steps will help ensure HIPAA compliance by disallowing public write access for S3 buckets containing sensitive healthcare data.