Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Public Access Blocked at Bucket Levels

This rule ensures blocking of S3 public access at bucket levels.

RuleS3 public access should be blocked at bucket levels
FrameworkFedRAMP Low Revision 4
Severity
High

Rule Description:

According to the FedRAMP Low Revision 4 security standards, it is required to block public access at the bucket level for Amazon S3 (Simple Storage Service). This rule aims to prevent unauthorized access to sensitive data stored in S3 buckets and ensure compliance with security regulations.

Troubleshooting Steps (if necessary):

If any issues occur while implementing or verifying the rule, the following troubleshooting steps can be taken:

  1. 1.
    Ensure that the S3 bucket is configured to block public access.
  2. 2.
    Verify if any S3 bucket policies or access control lists (ACLs) are allowing public access.
  3. 3.
    Check if there are any IAM (Identity and Access Management) policies granting public access to the bucket or its contents.
  4. 4.
    Review the bucket and object permissions to verify that they are restricted to authorized users or roles.
  5. 5.
    Confirm that the S3 bucket is not listed as a website endpoint, as this can enable public access.

Necessary Codes (if applicable):

To block public access at the bucket level in Amazon S3, the following bucket policy can be applied:

{
    "Version": "2012-10-17",
    "Id": "BlockPublicAccessPolicy",
    "Statement": [
        {
            "Sid": "BlockPublicAcl",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::(bucket-name)"
        },
        {
            "Sid": "BlockPublicPolicy",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetBucketPolicy",
            "Resource": "arn:aws:s3:::(bucket-name)"
        },
        {
            "Sid": "BlockPublicObject",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::(bucket-name)/*"
        }
    ]
}

Replace

(bucket-name)
in the above policy with the actual name of the S3 bucket.

Step-by-Step Guide for Remediation:

To block public access at the bucket level in Amazon S3, follow these steps:

  1. 1.
    Access the AWS Management Console and navigate to the Amazon S3 service.
  2. 2.
    Select the S3 bucket for which you wish to block public access.
  3. 3.
    Click on the "Permissions" tab for the selected bucket.
  4. 4.
    Look for the "Block public access" section and click on the "Edit" button.
  5. 5.
    Ensure that all settings in the "Block public access" section are enabled, specifically:
    • Block all public access
    • Block public access to buckets and objects granted through new access control lists (ACLs)
    • Block public access to buckets and objects granted through any bucket policies
    • Block public and cross-account access to buckets and objects through any public bucket policies
  6. 6.
    Save the changes by clicking the "Save" button.

After following these steps, the S3 bucket will have public access blocked at the bucket level, thus complying with the FedRAMP Low Revision 4 security requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now