This rule ensures S3 public access is blocked at bucket levels for enhanced security.
Rule | S3 public access should be blocked at bucket levels |
Framework | CISA-cyber-essentials |
Severity | ✔ High |
Rule Description:
This rule ensures that public access to S3 buckets is blocked at the bucket level for compliance with CISA-Cyber Essentials guidelines. It helps protect sensitive data from unauthorized access and potential security breaches
Troubleshooting Steps:
If S3 public access is not blocked at the bucket level, follow these troubleshooting steps:
Verify the bucket policy: Check the bucket policy to ensure it does not allow public access. Review the "Statement" section of the policy to identify any "Principal" or "Actions" that may grant public access.
Check block public access settings: Navigate to the bucket settings in the AWS Management Console and confirm that the "Block Public Access" settings are enabled. Ensure that all four settings (Block public access to buckets and objects granted through new access control lists (ACLs), Block public access to buckets and objects granted through any access control lists (ACLs), Block public access to buckets and objects granted through new public bucket or access point policies, and Block public and cross-account access to buckets and objects through any public bucket or access point policies) are enabled.
Verify bucket permissions: Check if the bucket has any permissions granted to "Everyone" or "Authenticated Users" that might allow public access. Remove any excessive permissions that are not necessary.
Examine bucket ACLs: Review the Access Control Lists (ACLs) of the bucket. Ensure there are no "Grantee" or "Permission" entries that grant public access. Remove any such entries if found.
Necessary Codes:
The following code can be used to block public access at the bucket level:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BlockPublicAccess", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucket-name/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }
Step-by-Step Guide for Remediation:
To remediate the issue and block S3 public access at the bucket level, follow these step-by-step instructions:
Log in to the AWS Management Console.
Navigate to the S3 service.
Select the bucket that needs to be secured.
Click on the "Permissions" tab.
Under "Block public access" settings, ensure that all four settings are enabled.
Review the bucket policy and remove any statements or permissions that grant public access.
Go to the "Access Control List (ACL)" panel and remove any entries that grant public access.
Click on "Bucket Policy" in the left sidebar.
Replace the existing policy, if any, with the code provided above to block public access.
Save the changes to the bucket policy.
Perform testing to verify that public access to the S3 bucket is now blocked.
Repeat the process for any other S3 buckets that require blocking public access.
By following these steps, you can effectively block S3 public access at the bucket level in compliance with CISA-Cyber Essentials guidelines.