Rule: S3 Public Access Blocked at Account Level
This rule ensures that S3 public access is blocked at the account level to enhance security.
| Rule | S3 public access should be blocked at account level |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
S3 Public Access Blocking at Account Level for CISA Cyber Essentials
Description:
S3 (Simple Storage Service) is a popular service provided by AWS (Amazon Web Services) that offers scalable object storage for various purposes. It is important to ensure that S3 buckets are properly secured to prevent unauthorized or unintended access to sensitive data.
The CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials is a set of best practices and guidelines created to help organizations improve their cybersecurity posture. One of the key recommendations is to block public access to S3 buckets at the account level to mitigate the risk of potential security breaches.
By implementing this rule, you will ensure that all S3 buckets within your AWS account have public access blocked by default, minimizing the chances of accidental exposure of data to the public internet.
Troubleshooting Steps (if applicable):
- 1.
Identify mistaken public access: Review the access settings of your S3 buckets and check if any are inadvertently allowing public access.
- Access the AWS Management Console.
- Navigate to the S3 service.
- Select each bucket and verify the access permissions.
- Look for any objects or buckets with unnecessarily open access policies.
- Remove or modify any problematic access policies to prevent public access.
- 2.
Check bucket policies: Ensure that there are no bucket policies allowing public access to your S3 buckets.
- Access the S3 service in the AWS Management Console.
- Select each bucket and navigate to the "Permissions" tab.
- Review the bucket policies for any Allow or Deny statements permitting public access.
- Modify or remove any policies that allow open access.
- 3.
Verify ACLs (Access Control Lists) for objects: Check the ACLs for each object within your S3 buckets to ensure public access is restricted.
- Access the S3 service in the AWS Management Console.
- Select each bucket, navigate to the "Properties" tab, and review the objects.
- Check the ACLs for individual objects and make sure they do not grant public access.
- Modify the ACLs if necessary to restrict access.
Necessary Codes (if applicable):
There are no specific codes required for blocking S3 public access at the account level. However, here is an example of how to enable block public access for a specific bucket using AWS CLI:
aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
This CLI command will block public access at the bucket level by enforcing the specified restrictions.
Step-by-Step Guide for Remediation:
- 1.
Access AWS Management Console:
- Open a web browser and go to the AWS Management Console login page.
- Enter your credentials to log in.
- 2.
Navigate to S3 service:
- Once logged in, search for "S3" in the AWS services search bar, or find and click on the S3 icon under "Storage" in the service list.
- You will be redirected to the S3 management console.
- 3.
Review the existing S3 buckets:
- In the S3 management console, you'll see a list of all your S3 buckets.
- Click on each bucket to review its settings and access permissions.
- 4.
Check for public access permissions:
Within each bucket, navigate to the "Permissions" tab.
Review the "Bucket policy" and "Access control list (ACL)" sections for any policies or permissions that grant public access.
If any public access permissions are found, proceed with the following steps:
- Select the bucket by clicking on its name.
- Click on the "Permissions" tab.
- Edit or remove the policies that allow public access.
- 5.
Enable public access blocking (account level):
In the S3 management console, click on the "Account settings" link located at the top right corner.
Under the "Block public access" section, check whether the settings are already enabled.
If public access blocking is not enabled, follow the steps below to enable it:
- Click on the "Edit" button next to "Block public access".
- Check all the options under the "Block public access" settings:
- Block all public access
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- Block public access to buckets and objects granted through new public bucket policies
- Block public access to buckets and objects granted through any public bucket policies
- Click on "Save changes" to enable public access blocking at the account level.
- 6.
Review and update bucket policies and ACLs:
- After enabling public access blocking at the account level, revisit each S3 bucket.
- Navigate to the "Permissions" tab for each bucket and review the policies and access control lists again to ensure public access is restricted.
- Modify or remove any policies or ACLs that allow public access.
- 7.
Verify the changes:
- Once all the necessary modifications have been made, review the bucket settings to ensure that public access has been successfully blocked at the account level.
- Double-check the ACLs and bucket policies for any misconfigurations that may result in public access.
By following these steps, you will effectively block public access to S3 buckets at the account level, aligning with the CISA Cyber Essentials best practices and enhancing the security of your AWS infrastructure.