Rule: Ensure that S3 Buckets have 'Block public access'
This rule ensures proper configuration of S3 Buckets to block public access for better security measures.
| Rule | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' |
| Framework | cis_v150 |
| Severity | ✔ Critical |
Rule Description:
The rule "cis_v150" ensures that S3 buckets in your AWS account are properly configured with "Block public access (bucket settings)" enabled. This setting helps to prevent unintentional public exposure of your S3 data and enforces better security practices.
Enabling "Block public access" ensures that only authorized users or resources can access the S3 buckets, increasing the confidentiality and privacy of your data.
Troubleshooting Steps:
- 1.Identify the S3 bucket that violates the rule.
- 2.Review the bucket's current access control configuration.
- 3.Enable 'Block public access (bucket settings)' if not already enabled.
- 4.Validate the correct configuration to ensure the rule compliance.
Necessary Code:
No code is required for this rule. The configuration settings can be updated through the AWS Management Console, AWS CLI, or AWS SDKs.
Step-by-step Guide:
Please follow the steps below to ensure compliance with the "cis_v150" rule:
- 1.
AWS Management Console:
- Log in to the AWS Management Console.
- Navigate to the S3 service.
- Click on the specific bucket that needs to be configured.
- Click on the "Permissions" tab.
- Under the "Block public access" section, click on the "Edit" button.
- Select the checkboxes next to "Block all public access" and "Block public access to buckets and objects granted through new access control lists (ACLs)."
- Click on "Save changes" to update the bucket configuration.
- 2.
AWS CLI:
Open the command-line interface (CLI).
Execute the following command to enable "Block public access" on the bucket:
aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"Replace
with the actual name of the bucket.<bucket-name>
- 3.
AWS SDKs:
- Utilize the programming language of your choice to interact with the AWS SDK.
- Use the appropriate SDK function to update the bucket's "Block public access" configuration, such as
in the AWS SDK for Python (Boto3).PutPublicAccessBlock
After performing these steps, the S3 bucket will be compliant with the "cis_v150" rule, ensuring that public access to the bucket is blocked and improving the overall security posture of your AWS account.