Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets have restricted public write access.
| Rule | S3 buckets should prohibit public write access |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Description of the Rule
The rule enforces that S3 (Simple Storage Service) buckets should not allow public write access according to the guidelines provided in the NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) version 1. This is to ensure the security of stored data and prevent unauthorized modifications or deletions by external users.
Troubleshooting Steps
If there are any issues related to public write access in S3 buckets, the following troubleshooting steps can be performed:
- 1.
Verify bucket access settings: Check the access control settings of the S3 bucket to determine if public write access is enabled. Review the bucket policy, access control lists (ACLs), and any external access policies associated with the bucket.
- 2.
Check for misconfigured policies: Ensure that there are no misconfigured or overly permissive access policies that allow public write access. Make sure that the bucket policy doesn't have any "Allow" statements with the "s3:PutObject" or similar actions for the "Principal" set as "*" (public).
- 3.
Audit object-level permissions: Review the permissions for individual objects within the bucket. Ensure that no objects have public write access explicitly granted. If necessary, modify the object-level ACLs to restrict access.
- 4.
Investigate cross-account access: If the S3 bucket is shared with other AWS accounts, check if any cross-account permissions allow public write access unintentionally. Review and modify the relevant IAM (Identity and Access Management) policies or resource-based policies associated with the bucket.
Necessary Codes
If any code changes are required, the following examples demonstrate how to restrict public write access using S3 bucket policies.
Example 1: Deny public write access using a bucket policy:
{
"Version": "2012-10-17",
"Id": "DenyPublicWriteAccess",
"Statement": [
{
"Sid": "DenyPublicWrite",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Example 2: Deny public write access using an ACL:
$ aws s3api put-bucket-acl --bucket your-bucket-name --acl private
Step-by-Step Guide for Remediation
Follow these steps to remediate the issue of public write access in an S3 bucket:
- 1.
Identify the target S3 bucket for remediation.
- 2.
Review the current bucket policy and access control settings.
- 3.
Open the AWS Management Console or use the AWS CLI (Command Line Interface) to access the bucket's configuration.
- 4.
Modify the bucket policy or ACL settings to restrict public write access.
a. If using a bucket policy, replace or add the necessary "Deny" statements for the "s3:PutObject" and "s3:PutObjectAcl" actions with the "Principal" set as "*" (public). Follow the example provided in the "Necessary Codes" section and adjust it according to your bucket name.
b. If using an ACL, run the command mentioned in the "Necessary Codes" section, replacing "your-bucket-name" with the actual name of your bucket.
- 5.
Save the updated configuration settings.
- 6.
Test the changes by attempting to write an object to the bucket using public access. It should be denied.
- 7.
Verify that the bucket now complies with the prohibition of public write access as defined by the NIST CSF v1.
- 8.
Document the changes made and communicate them to the relevant stakeholders.
Conclusion
By adhering to the rule that S3 buckets should prohibit public write access according to the NIST Cybersecurity Framework (CSF) v1, you can enhance the security of your stored data, ensuring that only authorized users have the ability to modify or delete objects within the bucket. By following the troubleshooting steps, necessary codes, and step-by-step guide provided, you can effectively enforce this rule and maintain a secure S3 bucket environment.