Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures S3 buckets are secure by restricting public read access.
| Rule | S3 buckets should prohibit public read access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
S3 buckets should have public read access prohibited in order to comply with NIST 800-53 Revision 5 security requirements. Giving public read access to S3 buckets can potentially expose sensitive data to unauthorized or malicious users. To ensure data privacy and security, public read access should be disabled.
Troubleshooting Steps:
- 1.Identify S3 buckets: First, identify all the S3 buckets in your AWS account that may have public read access enabled.
- 2.Check bucket permissions: Verify the permission settings for each S3 bucket to determine if public read access is allowed.
- 3.Review access control lists (ACLs): Review the ACLs for each bucket and ensure that the "AllUsers" or "AuthenticatedUsers" group does not have read permissions.
- 4.Review bucket policies: Check the bucket policies for any statements that allow public read access. Modify or remove those statements to restrict access.
- 5.Review bucket-level public access settings: If your AWS account is using AWS Block Public Access settings, ensure that the "Block public access to buckets and objects granted through new public bucket or access point policies" option is enabled.
- 6.Test access restrictions: Validate that public read access has been successfully disabled by attempting to access the bucket or its contents without proper authentication.
Necessary Codes:
There are no specific codes required for this rule, but you may need to modify or remove existing bucket policies and ACLs.
Step-by-Step Guide for Remediation:
- 1.Login to the AWS Management Console.
- 2.Navigate to the Amazon S3 service.
- 3.Identify the S3 bucket(s) requiring changes to prohibit public read access.
- 4.Select the bucket name from the bucket list.
- 5.Click on the "Permissions" tab.
- 6.Review the "Access control list (ACL)" section.
- If you find any entries granting "READ" access to "AllUsers" or "AuthenticatedUsers," proceed to step 7.
- If no such entries are found, public read access is already prohibited. You can skip the remaining steps.
- 7.Click on the "Access control list (ACL)" section to expand it.
- 8.Locate the entry with "Grantee" set to "Everyone" or "AuthenticatedUsers" and "Permissions" set to "READ."
- 9.Click on the "Remove" button or modify the permission to remove the "READ" access.
- 10.Scroll down to the "Bucket policy" section.
- 11.Review the bucket policy statements to ensure there are no statements allowing public read access.
- 12.If any statements are found, modify or remove those statements to restrict access.
- 13.Scroll further down to the "Public access" section.
- 14.Ensure that the "Block public access to buckets and objects granted through new public bucket or access point policies" option is enabled.
- 15.Click on "Save" or "Apply changes" to update the bucket settings.
- 16.Repeat steps 4-15 for any other S3 buckets that require changes.
- 17.Test the bucket access by attempting to access it or its contents without proper authentication. You should receive an access denied error if public read access is successfully prohibited.
By following these steps, you can ensure that your S3 buckets are configured to prohibit public read access, aligning with the security requirements of NIST 800-53 Revision 5.