Rule: S3 Buckets Should Prohibit Public Read Access

This rule ensures S3 buckets do not allow public read access to enhance security measures.

Rule	S3 buckets should prohibit public read access
Framework	FedRAMP Moderate Revision 4
Severity	✔ Medium

Rule Description:

According to the FedRAMP Moderate Revision 4 guideline, S3 buckets should not have public read access enabled. This is necessary to ensure the confidentiality and security of the data stored in the buckets. Public read access allows anyone on the internet to view the contents of the bucket, which can lead to unauthorized access or disclosure of sensitive information.

Enforcing this rule helps organizations meet the compliance requirements and protect their data from potential security breaches. By restricting public read access, only authorized users with appropriate permissions will be able to access the S3 bucket.

Troubleshooting Steps (if applicable):

If public read access is detected on an S3 bucket, follow the steps below to troubleshoot and remediate the issue:

1.
Identify the S3 bucket with public read access:
- Navigate to the AWS Management Console.
- Go to the S3 service.
- List all the available buckets.
- Look for buckets with public read access enabled.

2.
Audit the contents of the bucket:
- Review the files and objects stored in the bucket for any sensitive or confidential information.

3.
Disable public read access:
- Select the bucket with public read access.
- Click on the "Permissions" tab.
- Identify the "Access control list (ACL)" section.
- Remove all public read permissions assigned to the bucket.

Restrict access using bucket policies:

Click on the "Permissions" tab.
Identify the "Bucket Policy" section.
Create or modify a bucket policy to deny public read access.

Example bucket policy to deny public read access:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "DenyPublicReadAccess",
           "Effect": "Deny",
           "Principal": "*",
           "Action": "s3:GetObject",
           "Resource": "arn:aws:s3:::bucket-name/*"
       }
   ]
}

5.
Regularly monitor and review S3 bucket permissions:
- Implement a process to review and audit the permissions of S3 buckets periodically.
- Ensure that public read access is not re-enabled accidentally.

6.
Educate and enforce best practices:
- Train and educate users who manage S3 buckets on the importance of restricting public read access.
- Enforce policies and guidelines that prohibit enabling public read access without proper justification and approval.

By following these troubleshooting steps and implementing the necessary changes, you can ensure that S3 buckets comply with the FedRAMP Moderate Revision 4 requirement regarding public read access.

Note: Make sure to replace "bucket-name" with the actual name of the S3 bucket in the provided bucket policy.

Rule: S3 Buckets Should Prohibit Public Read Access

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps (if applicable):

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Description:

Troubleshooting Steps (if applicable):

Is your System Free of Underlying Vulnerabilities?
Find Out Now