Rule: S3 Buckets Should Prohibit Public Write Access
Ensure that S3 buckets restrict public write access to maintain data security.
| Rule | S3 buckets should prohibit public write access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule/Policy Description:
The rule/policy states that S3 buckets should prohibit public write access for CISA-cyber-essentials. This means that any publicly accessible S3 buckets should not allow anyone to write or modify data within the bucket. This is important to maintain the security and integrity of the data stored in the S3 buckets, ensuring that only authorized individuals or applications can make changes.
Troubleshooting Steps:
- 1.
Check bucket permissions: Verify that the S3 bucket's permissions are properly configured to prohibit public write access. Check if there are any "Write" permissions allowed to "Everyone" or any public entities.
- 2.
Audit bucket policies: Review the bucket policies associated with the S3 bucket. Ensure that there are no policies allowing public write access.
- 3.
Check bucket ACLs: Examine the Access Control List (ACL) for the S3 bucket. Confirm that there are no entries granting write access to public users.
Necessary Codes:
No specific codes are provided for this rule/policy.
Step-by-Step Guide for Remediation:
- 1.
Go to the AWS S3 Management Console.
- 2.
Select the S3 bucket for which you want to enforce the prohibition of public write access.
- 3.
Click on the "Permissions" tab.
- 4.
Review the "Bucket Policy" section. If there is any policy defined, ensure it does not allow public write access. Modify or remove the policy if necessary.
- 5.
Scroll down to the "Access Control List (ACL)" section.
- 6.
Check if there are any entries granting write access to public users. If any exist, select the entry and click on the "Delete" button to remove it.
- 7.
Repeat steps 2-6 for any other S3 buckets that need to enforce this prohibition.
- 8.
Perform regular audits to ensure the buckets maintain the appropriate permissions and access controls to prohibit public write access.
Note: It is recommended to follow the principle of least privilege and grant only necessary permissions to appropriate users or processes.