Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Public Access Should be Blocked at Account Level

Ensure compliance with blocking S3 public access at account level for better security

RuleS3 public access should be blocked at account level
FrameworkFedRAMP Low Revision 4
Severity
Medium

Rule Description

The rule aims to block public access to Amazon S3 (Simple Storage Service) buckets at the account level in accordance with the FedRAMP (Federal Risk and Authorization Management Program) Low Revision 4 security requirements. This rule helps to ensure the protection of sensitive data stored in S3 buckets, preventing unauthorized access and maintaining compliance with the FedRAMP Low security standards.

Troubleshooting Steps

  1. 1.
    Check if IAM (Identity and Access Management) policies or bucket policies allow public access to S3 buckets.
  2. 2.
    Verify if any S3 bucket is publicly accessible by checking the bucket's permissions.
  3. 3.
    Review the S3 bucket policies and ensure they do not allow public access.
  4. 4.
    Examine the bucket ACLs (Access Control Lists) to see if they permit any public access.
  5. 5.
    Ensure that there are no conflicting bucket policies or ACLs that might unintentionally allow public access.
  6. 6.
    Confirm if the S3 bucket is within the specific AWS account associated with the FedRAMP Low Revision 4 compliance scope.

Code Example

To enforce the blocking of public access at the account level, you can use the following AWS CLI (Command-Line Interface) command:

aws s3control put-public-access-block --account-id <YOUR_ACCOUNT_ID> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

Remediation Steps

Follow the step-by-step guide below to remediate any public access and enforce the blocking of public access at the account level:

  1. 1.

    Identify the AWS account associated with the S3 buckets subject to the FedRAMP Low Revision 4 compliance requirements.

  2. 2.

    Ensure you have the necessary permissions in the AWS account to modify and enforce S3 public access settings.

  3. 3.

    Open the AWS CLI or AWS Management Console.

  4. 4.

    If using the AWS CLI, run the following command:

    aws s3control put-public-access-block --account-id <YOUR_ACCOUNT_ID> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
    

    Replace

    <YOUR_ACCOUNT_ID>
    with the AWS account ID associated with the FedRAMP Low Revision 4 compliance scope.

  5. 5.

    If using the AWS Management Console:

    • Go to the AWS S3 service.
    • Select the appropriate S3 bucket(s) within the compliant account.
    • Open the "Permissions" tab.
    • Review and adjust any bucket policies that allow public access.
    • Modify the bucket ACLs to remove any public access permissions.
    • Enable the "Block all public access" option.
    • Save the changes.
  6. 6.

    Perform regular checks and monitoring to ensure that public access to S3 buckets remains blocked at the account level and meets the requirements of FedRAMP Low Revision 4 compliance.

Please note that the provided commands and steps are generic examples, and you should tailor them to fit your specific environment and requirements. It is essential to thoroughly test and validate any changes made to your AWS account configuration before applying them to production environments.

Is your System Free of Underlying Vulnerabilities?
Find Out Now