Rule: S3 Public Access Blocked at Account Level
This rule ensures S3 public access is blocked at the account level for security and compliance purposes.
| Rule | S3 public access should be blocked at account level |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
This rule enables the prevention of public access to Amazon S3 (Simple Storage Service) buckets and objects at the account level in order to comply with the security requirements specified in NIST (National Institute of Standards and Technology) 800-171 Revision 2.
Troubleshooting Steps
If you encounter any issues while implementing this rule, you can follow these troubleshooting steps:
- 1.Ensure that you have appropriate user permissions to make changes to the S3 bucket access settings.
- 2.Double-check if the correct S3 bucket or account is being targeted for applying this rule.
- 3.Verify that the S3 bucket is not used for any legitimate public access requirements by reviewing the bucket's access logs, usage patterns, and the applications using it.
- 4.If certain applications or services require public access to the S3 bucket, consider configuring appropriate access controls while keeping security best practices in mind.
- 5.Check if any existing bucket policies or access control lists (ACLs) may conflict with the blocked public access settings.
- 6.Review any error messages received during the implementation process and search for relevant AWS documentation or community forums for further assistance.
Necessary Codes
No specific codes are required for this rule. It can be implemented using AWS Management Console or AWS CLI commands.
Step-by-Step Remediation Guide
Follow these step-by-step instructions to block public access to S3 at the account level:
- 1.
AWS Management Console:
- 1.Sign in to the AWS Management Console.
- 2.Open the Amazon S3 service.
- 3.Choose the target S3 bucket for which you want to block public access.
- 4.Click on the "Properties" tab.
- 5.Under the "Public access" section, ensure that all the four settings (Block new public bucket policies, Block public and cross-account access if bucket has public policies, Block public access to buckets and objects granted through new access control lists (ACLs), and Block public access to buckets and objects granted through any access control lists (ACLs)) are enabled.
- 6.Save the changes.
- 2.
AWS CLI:
- 1.
Install and configure the AWS CLI (Command Line Interface) if you haven't already.
- 2.
Open the Command Prompt, Terminal, or any command-line interface.
- 3.
Type the following command to update the account-level public access block settings for S3:
aws s3control put-public-access-block --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" - 4.
Press Enter to execute the command.
- 5.
Verify that the settings have been successfully updated by checking if there are no errors.
Note: The above commands assume you have the necessary permissions to update S3 bucket settings at the account level.
By following the above steps, you will successfully block public access to Amazon S3 buckets and objects at the account level, thereby complying with the NIST 800-171 Revision 2 security requirements.