Rule: S3 Buckets Should Prohibit Public Write Access
This rule pertains to restricting public write access for S3 buckets.
| Rule | S3 buckets should prohibit public write access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
The policy ensures that S3 buckets in compliance with NIST 800-171 Revision 2 should prohibit public write access. This rule aims to enhance the security and privacy of sensitive data stored in S3 buckets by preventing unauthorized write operations from public sources.
Troubleshooting Steps
Step 1: Determine if any S3 bucket allows public write access.
- Login to the AWS Management Console.
- Navigate to the S3 service.
- Review the bucket policies, access control lists (ACLs), and permissions for each bucket.
Step 2: Identify any existing public write access permissions.
- Check the bucket policies for any "s3:PutObject" or "s3:Put*" actions that allow public access. Look for "*" in the "Principal" or "AWS" field.
- Inspect the bucket's ACLs and ensure that there are no "WRITE" permissions granted to "Everyone" or "AllUsers".
Step 3: Modify the permissions to prohibit public write access.
- Update the bucket policy to remove any "s3:PutObject" or "s3:Put*" actions that grant public access. Use the "NotPrincipal" or "NotAction" attributes to block public permissions explicitly.
- Adjust the bucket's ACLs to revoke any "WRITE" permissions granted to "Everyone" or "AllUsers". Set more restrictive permissions based on your specific requirements.
Step 4: Verify the changes.
- Validate that the bucket policy no longer allows public write access.
- Recheck the ACLs to ensure that "WRITE" permissions for "Everyone" or "AllUsers" have been successfully revoked.
Necessary Codes
There are no specific codes necessary for this rule. However, the following example demonstrates how to update an S3 bucket policy to prohibit public write access:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyPublicWrites",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::EXAMPLE_BUCKET_NAME/*",
"Condition":{
"StringEquals":{
"aws:PrincipalOrgID":"*"
}
}
}
]
}
This policy denies any attempt to perform a "PutObject" action on the specified bucket ("EXAMPLE_BUCKET_NAME") from any principal ("*"), effectively prohibiting public write access.
Remediation Steps
Step 1: Identify the S3 bucket requiring remediation.
- List all the S3 buckets in your AWS account and identify the bucket that violates the policy.
Step 2: Update the bucket policy to remove public write access.
- Open the AWS Management Console and go to the S3 service.
- Select the bucket requiring remediation.
- Go to the "Permissions" tab and click on "Bucket Policy".
- Replace the existing policy with the following policy (modify bucket name if necessary):
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyPublicWrites",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::EXAMPLE_BUCKET_NAME/*",
"Condition":{
"StringEquals":{
"aws:PrincipalOrgID":"*"
}
}
}
]
}
- Click "Save" to apply the new policy.
Step 3: Verify the changes.
- Confirm that the bucket policy has been modified to prohibit public write access.
- Test by attempting to upload a file to the bucket using public credentials. It should be denied.
- Regularly review and validate the bucket permissions to ensure they comply with the policy.
By following these steps, you can remediate the S3 bucket and enforce the prohibition of public write access according to the NIST 800-171 Revision 2.