Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets restrict public write access, maintaining high security standards.
| Rule | S3 buckets should prohibit public write access |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description:
This rule is designed to ensure that S3 buckets in the AWS environment have the necessary access controls in place to prohibit public write access. It specifically applies to S3 buckets that are governed by the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 compliance framework.
Troubleshooting Steps:
- 1.Check the access control list (ACL) of the S3 bucket to verify if it allows public write access.
- 2.Review the bucket policy to identify any configuration that allows public write access.
- 3.Ensure that the bucket's block public access settings are properly configured.
- 4.Validate the permissions assigned to IAM users, groups, or roles associated with the bucket and confirm that there are no policies allowing public write access.
- 5.Examine any bucket replication settings to ensure they are not allowing public write access in the replication destination.
Necessary Codes:
Bucket Policy:
To explicitly deny public write access in the bucket policy, you can use the following code snippet:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicWrite", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }
Block Public Access:
To enable block public access for the S3 bucket, follow these steps:
- 1.Go to the AWS S3 Management Console.
- 2.Select the targeted bucket.
- 3.Click on the "Permissions" tab.
- 4.Scroll down to the "Block public access" section.
- 5.Ensure that all the "Block public access" settings are enabled, including "Block all public access," "Block public access to buckets and objects granted through new access control lists (ACLs)," "Block public access to buckets and objects granted through any access control lists (ACLs)," "Block public access to buckets and objects granted through new public bucket or access point policies," and "Block public and cross-account access to buckets and objects through any public bucket or access point policies."
Step-by-Step Guide:
To remediate the public write access issue in an S3 bucket governed by FedRAMP Moderate Revision 4, you can follow these steps:
- 1.Log in to the AWS Management Console.
- 2.Open the S3 service.
- 3.Locate the targeted bucket and click on its name.
- 4.Review the bucket's access control list (ACL):
- In the Permissions tab, navigate to the "Access control list" section.
- Verify that there are no grants allowing public write access. If any exist, remove them.
- 5.Check the bucket policy and adjust it if needed:
- In the Permissions tab, navigate to the "Bucket policy" section.
- Ensure that the code snippet mentioned above is present or add it if not.
- 6.Ensure block public access settings are properly configured:
- In the Permissions tab, scroll down to the "Block public access" section.
- Verify that all the block public access settings are enabled as mentioned in the previous section.
- 7.Validate IAM user/group/role permissions:
- Review the IAM policies assigned to users, groups, or roles associated with the bucket.
- Verify that there are no policies permitting public write access. Modify the policies if necessary.
- 8.Review bucket replication settings:
- If bucket replication is configured, check the replication destination.
- Ensure that the destination bucket doesn't allow public write access.
- 9.Regularly monitor the bucket's access controls to ensure ongoing compliance with the FedRAMP Moderate Revision 4 requirements.