Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets do not allow public write access, maintaining data security.
| Rule | S3 buckets should prohibit public write access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description:
This rule enforces that S3 buckets should not allow public write access in order to comply with the FedRAMP Moderate Revision 4 security requirements. Public write access allows anyone on the internet to modify the contents of the S3 bucket, which can lead to unauthorized access or data breaches.
Troubleshooting Steps:
- 1.Check if any S3 buckets have been configured to allow public write access.
- 2.Verify the bucket policy and access control list (ACL) settings for each S3 bucket.
- 3.Ensure that the appropriate permissions have been granted to limit write access to authorized users or roles only.
- 4.Review any associated IAM policies or roles that might allow public write access to the S3 buckets.
Necessary Codes:
No specific code is required for this rule. However, you may need to modify the bucket policy or ACL settings if public write access is currently allowed.
Remediation Steps:
Follow these step-by-step instructions to remediate the rule violation:
- 1.Sign in to the AWS Management Console.
- 2.Open the Amazon S3 console.
- 3.Select the S3 bucket that allows public write access.
- 4.Click on the "Permissions" tab.
- 5.Review the existing bucket policy and any associated ACLs.
- 6.Remove any existing statements or entries that allow public write access.
- 7.Ensure that the bucket policy or ACLs only allow write access for authorized users or roles.
- 8.Save the changes to the bucket policy or ACLs.
- 9.Repeat these steps for any other S3 buckets that allow public write access.
CLI Command:
If you prefer the command line interface (CLI), you can use the following AWS CLI commands for remediation:
- 1.
List all S3 buckets:
aws s3 ls - 2.
Remove public write access from a bucket policy:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://bucket-policy.jsonReplace
with the actual name of the S3 bucket and<bucket-name>
with the updated bucket policy file that removes public write access.bucket-policy.json - 3.
Remove public write access from an ACL:
aws s3api put-bucket-acl --bucket <bucket-name> --acl privateReplace
with the actual name of the S3 bucket.<bucket-name>
Note: Before making any changes through the CLI, make sure you have the necessary permissions and understand the potential impact of your actions.
By following these steps and ensuring that public write access is disabled for your S3 buckets, you will meet the requirements of the FedRAMP Moderate Revision 4 security standards and reduce the risk of unauthorized modifications or data breaches.