Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets should Prohibit Public Write Access

This rule ensures that S3 buckets restrict public write access to enhance security measures.

RuleS3 buckets should prohibit public write access
FrameworkFedRAMP Low Revision 4
Severity
High

Rule Description: S3 buckets should prohibit public write access for FedRAMP Low Revision 4

This rule ensures that S3 buckets have the necessary permissions configured to prevent public write access in compliance with the FedRAMP Low security standard, Revision 4.

Troubleshooting Steps (if necessary):

  1. 1.
    Check if the S3 bucket policy allows public write access.
  2. 2.
    Determine if any IAM policies or access control lists (ACLs) grant public write access to the S3 bucket.
  3. 3.
    Review the configuration history to identify any recent changes that may have introduced public write access.

Necessary Code (if necessary):

If the S3 bucket policy, IAM policies, or ACLs need to be modified, you can use the following code snippets as reference:

Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicWriteAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

IAM Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicWriteAccess",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Remediation Steps:

Follow the steps below to remediate the S3 bucket and prohibit public write access:

  1. 1.
    Identify the S3 bucket that needs to be modified.
  2. 2.
    Confirm your identity and permissions to modify the S3 bucket.
  3. 3.
    Access the AWS Management Console or use the AWS CLI with appropriate credentials.

AWS Management Console:

  1. 1.
    Navigate to the S3 service.
  2. 2.
    Find and select the target S3 bucket that violates the rule.
  3. 3.
    Click on the "Permissions" tab.
  4. 4.
    Review the existing bucket policy, IAM policies, and ACLs associated with the bucket.
  5. 5.
    If a bucket policy exists and permits public write access, click on the "Edit" button next to "Bucket policy" and replace the existing policy with the necessary code provided above.
  6. 6.
    If IAM policies or ACLs are granting public write access, navigate to the "Access Control List" and "User policies" sections, and modify them as per the necessary code provided above.
  7. 7.
    Click on "Save changes" or similar option to apply the changes.

AWS CLI:

  1. 1.
    Open the AWS CLI or Terminal.
  2. 2.
    Run the following command to update the bucket policy:
aws s3api put-bucket-policy --bucket your-bucket --policy file://bucket-policy.json

Replace

your-bucket
with the name of your target S3 bucket and ensure you have the necessary permissions to modify the bucket policy.

  1. 1.
    Run the following command to modify the IAM policy:
aws s3api put-bucket-acl --bucket your-bucket --acl public-read-write --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

Again, replace

your-bucket
with the name of your target S3 bucket and ensure you have the necessary permissions.

Note: It is recommended to test these changes in a non-production environment before applying them to live/production environments.

Is your System Free of Underlying Vulnerabilities?
Find Out Now