Rule: S3 Buckets should Prohibit Public Read Access
This rule ensures S3 buckets restrict public read access for enhanced security.
| Rule | S3 buckets should prohibit public read access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The rule specifies that S3 buckets must prohibit public read access for FedRAMP Low Revision 4 compliance. This means that the bucket must not allow anonymous access to read or download any of the objects stored within it.
Troubleshooting Steps:
- 1.Review the bucket's access control settings to ensure public read access is disabled.
- 2.Check if any access policies or bucket policies are allowing public read access.
- 3.Verify if any objects within the bucket have unintentionally been made publicly readable.
Necessary Codes:
There are no specific codes for troubleshooting this rule, as it involves reviewing and configuring access control settings within the AWS Management Console or using AWS CLI commands.
Step-by-step Guide for Remediation:
AWS Management Console:
- 1.Sign in to the AWS Management Console.
- 2.Open the Amazon S3 service.
- 3.Identify the S3 bucket that needs to comply with the rule.
- 4.Select the bucket's properties by clicking on the bucket name.
- 5.In the Permissions tab, review the access control settings.
- 6.Ensure that there are no access control entries allowing public read access.
- 7.If any access control entries allow public read access, remove or modify them accordingly.
- 8.Go to the Objects tab and review the permissions of individual objects within the bucket.
- 9.Change the permissions of any publicly readable objects to restrict public access.
- 10.Save the changes.
AWS CLI:
- 1.Open the command-line interface on your local machine.
- 2.Use the following command to list all the buckets in your AWS account:
aws s3api list-buckets
- 1.Identify the bucket that needs to comply with the rule from the list.
- 2.Use the following command to retrieve the bucket's access control policy:
aws s3api get-bucket-acl --bucket <bucket-name>
- 1.Check if any access control entries allow public read access in the policy.
- 2.If any access control entries allow public read access, remove or modify them using the
command.aws s3api put-bucket-acl - 3.Use the following command to list all the objects within the bucket:
aws s3api list-objects --bucket <bucket-name>
- 1.For each publicly readable object, use the following command to revoke public access:
aws s3api put-object-acl --bucket <bucket-name> --key <object-key> --acl private
- 1.Repeat step 8 for each publicly readable object within the bucket.
Note: Make sure to replace
<bucket-name><object-key>By following these steps, you will ensure that the S3 bucket complies with the rule and prohibits public read access as required for FedRAMP Low Revision 4 compliance.