S3 Public Access Block Rule

This rule ensures blocking of S3 public access at account and bucket levels.

Rule	S3 public access should be blocked at account and bucket levels
Framework	NIST Cybersecurity Framework (CSF) v1.1
Severity	✔ Medium

Rule Description:

The rule mandates blocking public access to all Amazon S3 buckets at both the account and bucket levels, in accordance with the guidelines provided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v1. This rule helps ensure data security and privacy by preventing unauthorized access to S3 buckets and their contents.

Troubleshooting Steps:

1.
Ensure that there are no explicit permissions allowing public access to the S3 buckets.

2.
Review the bucket policies to verify that there are no statements allowing public access.

3.
Check the access control lists (ACLs) of the buckets to ensure public access is not granted.

4.
If using AWS Organizations, review the settings for the entire account hierarchy to block public access across all accounts.

5.
Verify that any cross-account access to the buckets is properly configured and does not compromise security.

Necessary Codes:

No specific codes are required for this rule. However, you may need to update the bucket policies or access control lists (ACLs) if public access is detected and needs to be blocked.

Step-by-Step Guide for Remediation:

1.
Login to the AWS Management Console.

2.
Go to the Amazon S3 service.

3.
Navigate to the dashboard listing all available S3 buckets.

4.
Review each bucket individually to ensure public access is blocked.

Checking for Bucket-Level Public Access:

1.
Select a bucket from the list.

2.
Click on the "Permissions" tab.

3.
Under the "Block public access" section, ensure that all options are enabled (i.e., "Block all public access").

4.
If any options are not enabled, click on the "Edit" button and enable them. Ensure that both account and bucket policies are blocked.

5.
Save the changes.

Checking for Account-Level Public Access (if using AWS Organizations):

1.
Access the AWS Organizations console.

2.
Go to the "Accounts" section.

3.
Review each account to ensure public access prevention is set consistently across the organization.

4.
Click on an account name to view the details.

5.
Under the "Service Control Policies" (SCP) section, verify that there are no policies allowing public access to S3.

6.
If any SCP permits public access, create a new SCP or modify the existing one to prohibit public access to S3 buckets.

7.
Apply the updated SCP to the respective organizational units or accounts as needed.

Conclusion:

Following the NIST Cybersecurity Framework (CSF) v1 guidelines, it is crucial to block public access to Amazon S3 buckets at both the account and bucket levels. By diligently reviewing and updating the bucket policies, access control lists (ACLs), and account-level settings, you can ensure the security and privacy of your S3 data.

S3 Public Access Block Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Checking for Bucket-Level Public Access:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Checking for Account-Level Public Access (if using AWS Organizations):

Is your System Free of Underlying Vulnerabilities? Find Out Now

Checking for Bucket-Level Public Access:

Checking for Account-Level Public Access (if using AWS Organizations):

Is your System Free of Underlying Vulnerabilities?
Find Out Now