Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Restrict Amazon S3 Bucket Policies for Cross-Account Permissions (Rule)

Ensure Amazon S3 permissions granted to other AWS accounts are restricted to enhance security.

RuleAmazon S3 permissions granted to other AWS accounts in bucket policies should be restricted
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description:

The rule ensures that permissions granted to other AWS accounts in Amazon Simple Storage Service (S3) bucket policies are restricted in accordance with the National Institute of Standards and Technology (NIST) 800-171 Revision 2.

Permissions Restriction:

The rule aims to limit access to S3 buckets by implementing stricter permission controls, particularly for granting cross-account access through bucket policies. By adhering to the NIST 800-171 Revision 2 guidelines, the rule helps mitigate the risk of unauthorized access to sensitive data stored in S3 buckets.

Troubleshooting Steps:

  2. 1.
    Identify the S3 bucket(s) with bucket policies granting permissions to other AWS accounts.
  4. 2.
    Review the existing bucket policies associated with the identified S3 bucket(s) using the AWS Management Console or AWS CLI.
  6. 3.
    Verify if the permissions specified in the bucket policies align with the NIST 800-171 Revision 2 requirements.
  8. 4.
    Determine whether any permissions need to be modified or removed.

Necessary Code:

If the bucket policies do not comply with the NIST 800-171 Revision 2 requirements, the following sample code can be used to modify the bucket policy and restrict permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RestrictS3Access",
      "Effect": "Deny",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:root",
          "arn:aws:iam::<Other AWS Account ID>:root"
        ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/*",
        "arn:aws:s3:::example-bucket"
      ]
    }
  ]
}

Note: Replace 

example-bucket
with the actual bucket name, and 
<Other AWS Account ID>
with the appropriate AWS account ID.

Remediation Steps:

  2. 1.
    Identify the S3 bucket(s) with non-compliant bucket policies.
  4. 2.
    Use the AWS Management Console or AWS CLI to access the bucket policy associated with the identified S3 bucket(s).
  6. 3.
    Remove existing permissions that grant access to other AWS accounts if they are not required or are not compliant with NIST 800-171 Revision 2.
  8. 4.
    Apply the necessary code shown above or modify the existing bucket policy to restrict permissions.
  10. 5.
    Save the updated bucket policy.

Verification:

To verify if the permissions have been successfully restricted, follow these steps:

  2. 1.
    Access the AWS Management Console or use the AWS CLI to navigate to the S3 bucket(s) with modified bucket policies.
  4. 2.
    Review the bucket policies and ensure that they comply with NIST 800-171 Revision 2.
  6. 3.
    Test the bucket policy modifications by attempting to access the S3 resources from AWS accounts that were previously granted access.
  8. 4.
    Confirm that the restricted permissions prevent unauthorized access.
  10. 5.
    Monitor the S3 bucket(s) periodically to ensure ongoing compliance with the NIST 800-171 Revision 2 requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now