Rule: S3 Buckets Should Prohibit Public Read Access
This rule emphasizes the importance of restricting public read access to S3 buckets.
| Rule | S3 buckets should prohibit public read access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule/Policy Description:
This rule/policy requires that S3 buckets within an organization's infrastructure should prohibit public read access according to the guidelines specified in FedRAMP Moderate Revision 4. This ensures that sensitive data stored in S3 buckets is not accessible to unauthorized users on the internet.
Troubleshooting Steps (if any):
If an S3 bucket allows public read access, it may lead to unauthorized access of sensitive data. To troubleshoot this issue, follow these steps:
- 1.
Check the bucket's Access Control List (ACL): Ensure that the bucket does not have a "public-read" or "public-read-write" ACL. If it does, it needs to be changed to a more restricted setting.
- 2.
Verify bucket policies: Review the bucket policies to ensure that there are no statements that allow public read access.
- 3.
Check object permissions: Make sure that individual objects within the bucket do not have public read permissions. If any objects are found with such permissions, they should be updated to restrict access.
Necessary Codes (if any):
The following code snippets can be used to modify the ACL and bucket policy of an S3 bucket to prohibit public read access. Modify the placeholders according to your specific bucket name:
Update the ACL to remove public read access:
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
Update the bucket policy to deny public read access:
aws s3api put-bucket-policy --bucket <bucket-name> --policy '{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicRead", "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket-name>/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }'
Note: Before applying these codes, make sure to have the necessary permissions to modify the ACL and bucket policy.
Step-by-Step Guide for Remediation:
Follow these steps to remediate the S3 bucket that allows public read access:
- 1.
Identify the S3 bucket: Determine the target S3 bucket that requires remediation.
- 2.
Update the Access Control List (ACL): Use the provided code snippet to update the ACL of the bucket and remove any public read access.
- 3.
Review and modify bucket policies: Check the existing bucket policies and remove any statements that allow public read access. If no bucket policies are defined, proceed to the next step.
- 4.
Apply the modified bucket policy: Use the provided code snippet to deny public read access in the bucket policy.
- 5.
Validate the changes: Verify that the S3 bucket no longer allows public read access by attempting to access it from an unauthorized source.
- 6.
Repeat the process: It is recommended to regularly audit and ensure that the S3 buckets both existing and newly created comply with the rule/policy.
By following these steps, you can successfully remediate the S3 bucket to prohibit public read access in alignment with FedRAMP Moderate Revision 4 guidelines.