Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets should Prohibit Public Read Access

This rule ensures S3 buckets restrict public read access for enhanced security.

RuleS3 buckets should prohibit public read access
FrameworkFedRAMP Low Revision 4
Severity
Medium

Rule Description:

The rule specifies that S3 buckets must prohibit public read access for FedRAMP Low Revision 4 compliance. This means that the bucket must not allow anonymous access to read or download any of the objects stored within it.

Troubleshooting Steps:

  1. 1.
    Review the bucket's access control settings to ensure public read access is disabled.
  2. 2.
    Check if any access policies or bucket policies are allowing public read access.
  3. 3.
    Verify if any objects within the bucket have unintentionally been made publicly readable.

Necessary Codes:

There are no specific codes for troubleshooting this rule, as it involves reviewing and configuring access control settings within the AWS Management Console or using AWS CLI commands.

Step-by-step Guide for Remediation:

AWS Management Console:

  1. 1.
    Sign in to the AWS Management Console.
  2. 2.
    Open the Amazon S3 service.
  3. 3.
    Identify the S3 bucket that needs to comply with the rule.
  4. 4.
    Select the bucket's properties by clicking on the bucket name.
  5. 5.
    In the Permissions tab, review the access control settings.
  6. 6.
    Ensure that there are no access control entries allowing public read access.
  7. 7.
    If any access control entries allow public read access, remove or modify them accordingly.
  8. 8.
    Go to the Objects tab and review the permissions of individual objects within the bucket.
  9. 9.
    Change the permissions of any publicly readable objects to restrict public access.
  10. 10.
    Save the changes.

AWS CLI:

  1. 1.
    Open the command-line interface on your local machine.
  2. 2.
    Use the following command to list all the buckets in your AWS account:
aws s3api list-buckets
  1. 1.
    Identify the bucket that needs to comply with the rule from the list.
  2. 2.
    Use the following command to retrieve the bucket's access control policy:
aws s3api get-bucket-acl --bucket <bucket-name>
  1. 1.
    Check if any access control entries allow public read access in the policy.
  2. 2.
    If any access control entries allow public read access, remove or modify them using the
    aws s3api put-bucket-acl
    command.
  3. 3.
    Use the following command to list all the objects within the bucket:
aws s3api list-objects --bucket <bucket-name>
  1. 1.
    For each publicly readable object, use the following command to revoke public access:
aws s3api put-object-acl --bucket <bucket-name> --key <object-key> --acl private
  1. 1.
    Repeat step 8 for each publicly readable object within the bucket.

Note: Make sure to replace

<bucket-name>
and
<object-key>
with appropriate values.

By following these steps, you will ensure that the S3 bucket complies with the rule and prohibits public read access as required for FedRAMP Low Revision 4 compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now