Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets restrict public write access to maintain data security.
| Rule | S3 buckets should prohibit public write access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
The rule states that S3 buckets should have a policy in place that prohibits public write access. This rule is specifically aligned with the security requirements specified in NIST 800-171 Revision 2.
Troubleshooting Steps:
If you encounter any issues or non-compliance with this rule, you can follow these troubleshooting steps:
- 1.Ensure that the AWS Identity and Access Management (IAM) policies associated with your S3 buckets are properly configured.
- 2.Verify that there are no conflicting bucket policies or access control lists (ACLs) that allow public write access.
- 3.Review the S3 bucket configuration to check for any misconfigurations or unintended settings that enable public write access.
- 4.Double-check the permissions of any IAM users, roles, or groups that have access to the S3 buckets to ensure there are no unintended write permissions granted.
Necessary Codes:
There are certain IAM policies and bucket policies that you can implement to enforce the prohibition of public write access. Here are the necessary codes you can use:
IAM Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicWriteAccess", "Effect": "Deny", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::bucket-name/*", "Condition": { "StringEquals": { "aws:PrincipalArn": "arn:aws:iam::*:root" } } } ] }
Bucket Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicWriteAccess", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::bucket-name/*" } ] }
Replace "bucket-name" with the name of your S3 bucket in the code snippets above.
Step-by-Step Guide for Remediation:
To remediate the S3 bucket and enforce the prohibition of public write access, follow these step-by-step guidelines:
- 1.Open the AWS Management Console and navigate to the S3 service.
- 2.Select the desired bucket that needs remediation.
- 3.Click on the "Permissions" tab for the selected bucket.
- 4.Check if you have an existing bucket policy:
- If there is no existing bucket policy, proceed to step 6.
- If there is an existing bucket policy, proceed to the next step.
- 5.Add the following statement within the existing bucket policy, under the "Statement" array:
Replace "bucket-name" with the name of your S3 bucket.{ "Sid": "DenyPublicWriteAccess", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::bucket-name/*" } - 6.If there is no existing bucket policy, create a new one with the following policy document:
Replace "bucket-name" with the name of your S3 bucket.{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicWriteAccess", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::bucket-name/*" } ] } - 7.Click on the "Access control list (ACL)" tab for the selected bucket.
- 8.Verify that there are no grants that allow public write access. If any exist, remove them.
- 9.Click on the "Bucket Policy" tab for the selected bucket.
- 10.Verify that there are no conflicting bucket policies or settings that allow public write access. If any exist, modify or remove them.
- 11.Save the changes made to the bucket policy, ACL, and permissions settings.
- 12.Repeat these steps for any other S3 buckets that require remediation.
By following these steps, you will enforce the prohibition of public write access for your S3 buckets, aligning with the NIST 800-171 Revision 2 requirements.