Rule: S3 Buckets Should Prohibit Public Read Access

This rule ensures S3 buckets restrict public read access for security.

Rule	S3 buckets should prohibit public read access
Framework	CISA-cyber-essentials
Severity	✔ Medium

Rule Description

The S3 buckets should be configured to prohibit public read access for CISA-cyber-essentials compliance. This rule ensures that no unauthorized individuals or entities can read the contents of the S3 buckets, thus protecting sensitive data and maintaining data privacy and security.

Troubleshooting Steps (if applicable)

1.
Check the bucket permissions: Ensure that the bucket policies and/or access control lists (ACLs) are properly configured to restrict public read access.

2.
Validate IAM policies: Ensure that the IAM policies associated with the S3 buckets do not grant public access permissions.

3.
Audit bucket permissions: Run regular audits to check for any potential misconfigurations or changes that may allow public read access.

Necessary Codes (if applicable)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicReadAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*"
    }
  ]
}

Step-by-Step Guide for Remediation

1.

Identify the S3 buckets that require remediation.

2.

Access the AWS Management Console and navigate to the Amazon S3 service.

3.

Select the appropriate bucket that needs to have its public read access prohibited.

4.

Click on the "Permissions" tab.

5.

In the "Bucket Policy" section, click on the "Edit" button.

Replace any existing bucket policy with the following JSON code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicReadAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*"
    }
  ]
}

Replace

<bucket-name>

with the name of your actual bucket.

7.

Click on the "Save changes" button to apply the new policy.

8.

Repeat steps 3-7 for each S3 bucket that needs to have public read access prohibited.

9.

Validate the changes by attempting to access the bucket's contents without proper authorization. It should deny access to the public.

10.

Perform regular audits to ensure the bucket policies are consistently enforcing the prohibition of public read access.

Note: It is also recommended to review and update the IAM policies associated with the S3 buckets to ensure they do not grant public access permissions.

By following these steps, you can successfully prohibit public read access for CISA-cyber-essentials compliance in your S3 buckets.

Rule: S3 Buckets Should Prohibit Public Read Access

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps (if applicable)

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes (if applicable)

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps (if applicable)

Necessary Codes (if applicable)

Step-by-Step Guide for Remediation

Is your System Free of Underlying Vulnerabilities?
Find Out Now