Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures S3 buckets do not allow public read access to enhance security.
| Rule | S3 buckets should prohibit public read access |
| Framework | PCI v3.2.1 |
| Severity | ✔ Critical |
Rule Description
S3 buckets should prohibit public read access for PCI v3. This rule ensures that the S3 buckets used for storing PCI (Payment Card Industry) data do not have any public read permissions, reducing the risk of unauthorized access to sensitive information.
Potential risks of allowing public read access to S3 buckets include the exposure of customer payment card data, financial loss due to fraud, legal penalties, and damage to the reputation of the organization.
Troubleshooting Steps
- 1.
Check the bucket access policies: Begin by examining the access policies of the S3 buckets to determine if public read access is enabled.
- 2.
Identify public read access points: Identify whether the buckets have any access points that allow the public to read, such as "Block public access" or "Public access permissions".
- 3.
Determine the scope of the issue: Verify the extent of the public read access issue by reviewing the list of affected S3 buckets.
- 4.
Review bucket ACLs: Access Control Lists (ACLs) determine the level of access granted to different AWS accounts and IAM users. Confirm that there are no entries that allow public read access.
- 5.
Review bucket policies: Bucket policies define what actions are allowed or denied for an S3 bucket. Ensure that there are no statements in the bucket policy that grant public read access.
Remediation Steps
To address the issue of public read access to S3 buckets for PCI v3 compliance, follow these steps:
- 1.Review and update bucket policies:
Ensure that the bucket policies explicitly deny any public read access permissions. To achieve this, modify the bucket policy as shown below:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyPublicRead",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::bucket-name/*"
}
]
}
Make sure to replace
bucket-name- 1.Remove ACL entries for public read access:
Check the bucket Access Control Lists (ACLs) and remove any entries that grant public read access.
- 1.Enable "Block public access" settings:
Navigate to the properties of the bucket and enable "Block public access" to prevent public read access at the account level. This will override any conflicting policies and ACLs.
- 1.Regularly review and monitor bucket permissions:
Periodically review and audit the permissions of S3 buckets to ensure that public read access is not inadvertently granted. Implement measures to monitor and alert on any changes to bucket policies or ACLs.
Conclusion
By following the troubleshooting and remediation steps above, you can ensure that S3 buckets used for PCI compliance are not publicly readable. Regularly reviewing and monitoring bucket permissions will help maintain the desired level of security and compliance while reducing the risk of unauthorized access to sensitive PCI data.