Rule: S3 Public Access Should Be Blocked at Bucket Levels
This rule ensures that S3 public access is restricted at the bucket level.
| Rule | S3 public access should be blocked at bucket levels |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
S3 Public Access Block for FedRAMP Compliance
Overview
FedRAMP Low Revision 4 Compliance
The Federal Risk and Authorization Management Program (FedRAMP) outlines standardized security requirements for cloud services used by federal agencies. For data classified at the "Low" impact level, FedRAMP Low Revision 4 requires strict controls to prevent unauthorized data access. Blocking public access to Amazon S3 buckets is one of the measures to ensure data integrity and confidentiality.
Rule Description
S3 Public Access Block
Amazon S3 provides the ability to block public access to buckets and objects at the bucket level. This block can be imposed by applying specific settings that override any public access permissions, ensuring that data within S3 buckets cannot be accidentally shared publicly.
The S3 Public Access Block includes four settings:
- 1.Block public access to buckets and objects granted through new access control lists (ACLs).
- 2.Block public access to buckets and objects granted through any access control lists (ACLs).
- 3.Block public access to buckets and objects granted through new public bucket or access point policies.
- 4.Block public and cross-account access to buckets and objects through any public bucket or access point policies.
Applying all these settings assists in maintaining compliance with FedRAMP Low Revision 4 by eliminating potential public access vectors.
Troubleshooting Steps
If after configuring the S3 Public Access Block, your buckets or objects are still publicly accessible, follow these steps:
- 1.Check Bucket Policy: Ensure there is no bucket policy that explicitly allows public access.
- 2.Review ACLs: Inspect the bucket and object ACLs to confirm there is no public read or write access granted.
- 3.Verify IAM Policies: Look for IAM user policies that may inadvertently grant public access.
- 4.Check for Pre-signed URLs: Identify if objects are being shared via pre-signed URLs which bypass bucket policies and ACLs.
- 5.Review S3 Access Points: Ensure that any S3 Access Points associated with the bucket do not permit public access.
Necessary AWS CLI Commands
Block Public Access via CLI
Run the following AWS Command Line Interface (CLI) command to apply the S3 Public Access Block to a bucket:
aws s3api put-public-access-block \ --bucket YOUR-BUCKET-NAME \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Replace
YOUR-BUCKET-NAMEVerify Public Access Block Configuration
To confirm that the public access block is in place, use the following command:
aws s3api get-public-access-block --bucket YOUR-BUCKET-NAME
Remove Public Access Block (if needed)
To remove the public access block configuration, execute:
aws s3api delete-public-access-block --bucket YOUR-BUCKET-NAME
Step by Step Guide for Remediation
- 1.Log in to AWS Management Console.
- 2.Navigate to the S3 Service: Go to the S3 dashboard where your buckets are listed.
- 3.Select a Bucket: Click on the bucket you wish to apply the public access block to.
- 4.Access the Permissions Tab: Open the "Permissions" tab for the bucket.
- 5.Edit Public Access Block Settings: Look for the "Public Access Settings" and click on "Edit".
- 6.Enable All Settings: Check all four options to block public access.
- 7.Save Changes: Click "Save changes" to apply the configuration.
By ensuring that all S3 buckets have public access blocked, you are taking a necessary step towards achieving and maintaining FedRAMP Low Revision 4 compliance. This detailed approach helps in keeping your AWS environment secure while enabling an advantageous position for SEO through clarity and the provision of concrete, actionable guidance without unnecessary filler content.