S3 Public Access Blocked at Bucket Levels Rule
This rule ensures compliance by blocking S3 public access at bucket levels.
| Rule | S3 public access should be blocked at bucket levels |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description:
This rule aims to ensure that S3 buckets within the AWS account are not publicly accessible at the bucket level, aligning with the requirements of FedRAMP Moderate Revision 4.
Troubleshooting Steps:
If the S3 bucket is found to be publicly accessible at the bucket level, follow the below troubleshooting steps to rectify the issue:
- 1.Access AWS Management Console and navigate to the S3 service.
- 2.Identify the bucket that is flagged as publicly accessible.
- 3.Check if any objects within the bucket have public access permissions.
- 4.Review the bucket policy attached to the S3 bucket.
- 5.Ensure that the bucket policy does not allow any public access controls.
- 6.If access controls are required for specific users or entities, consider implementing IAM policies or Access Control Lists (ACLs) to restrict access.
Code:
No specific code is required for this rule. However, you may need to review and modify the bucket policy if it allows public access.
Remediation Steps:
To remediate the issue and block public access at the bucket level, follow these steps:
- 1.Access AWS Management Console and navigate to the S3 service.
- 2.Identify the bucket that needs to be secured.
- 3.Select the bucket and click on the "Permissions" tab.
- 4.Review the "Access control list (ACL)" settings and ensure there are no public read/write access permissions.
- 5.If necessary, modify the ACL to remove any public access.
- 6.Click on the "Permissions" tab and select "Block public access".
- 7.Ensure all the checkboxes under "Block public access" are enabled.
- 8.Save the changes to apply the new access settings.
CLI Command:
If you prefer to use the AWS Command Line Interface (CLI) to remediate the issue, follow these steps:
- 1.Open the command prompt or terminal on your local machine.
- 2.Run the following command to modify the ACL of the bucket:
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
Replace
<bucket-name>- 1.Next, run the following command to enable block public access at the bucket level:
aws s3api put-public-access-block --bucket <bucket-name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
Replace
<bucket-name>Note:
Ensure that proper testing and validation are performed after implementing the remediation steps to verify that the bucket is no longer publicly accessible at the bucket level.