Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures S3 buckets do not allow public read access for enhanced security.
| Rule | S3 buckets should prohibit public read access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
This rule requires that S3 buckets in compliance with NIST 800-53 Revision 5 should have public read access prohibited. This ensures that sensitive data stored in S3 buckets are not accessible to unauthorized users, reducing the risk of data leaks or breaches.
Troubleshooting Steps:
If a bucket is found to have public read access enabled, the following troubleshooting steps can be taken:
- 1.
Identify the affected bucket(s) by reviewing the S3 bucket policies and permissions.
- 2.
Verify if the public read access is intentional or a misconfiguration.
- 3.
Determine the impact of the public read access on the security and privacy of the data stored in the bucket.
- 4.
Review any associated AWS Identity and Access Management (IAM) policies and roles to identify any potential misconfigurations.
- 5.
Investigate any recent changes in permissions or policies that may have inadvertently allowed public read access.
- 6.
If the public read access is determined to be unintentional or non-compliant with the NIST 800-53 Revision 5 requirements, proceed with the remediation steps.
Remediation Steps:
To remediate the public read access issue and bring the S3 bucket into compliance with NIST 800-53 Revision 5, follow these steps:
- 1.
Identify the AWS account with access to the affected S3 bucket.
- 2.
Open the AWS Management Console and navigate to the S3 service.
- 3.
Locate the affected bucket and select it.
- 4.
Click on the "Permissions" tab.
- 5.
Review the access control list (ACL) and bucket policy for any existing public read permissions.
- 6.
Remove the public read permission from the bucket ACL or bucket policy.
- 7.
Configure proper access controls using AWS IAM roles, AWS S3 bucket policies, or Access Control Lists (ACLs) to grant appropriate, authorized access to the bucket.
- 8.
Test the access permissions to ensure that the required users or roles have the necessary access to the bucket, while public read access is prohibited.
- 9.
Document the changes made and update any relevant documentation or security procedures.
- 10.
Periodically review the S3 bucket access permissions to ensure ongoing compliance with NIST 800-53 Revision 5 requirements.
Relevant AWS CLI Command:
If you prefer to use the AWS Command Line Interface (CLI) for remediation, the following command can be used to remove the public read permission from the bucket policy:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy '{"Version":"2012-10-17","Statement":[{"Sid":"DenyPublicRead","Effect":"Deny","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::BUCKET_NAME/*"}]}'
Replace "BUCKET_NAME" with the name of the affected bucket.
Note:
Before making any changes to the bucket permissions or policies, it is recommended to thoroughly understand the access requirements and consult with the appropriate stakeholders to avoid any unintended consequences or disruptions to existing systems or applications.