Rule: S3 Public Access Blocked at Account Level
Ensure compliance by blocking S3 public access at the account level.
| Rule | S3 public access should be blocked at account level |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
S3 Public Access Block for FedRAMP Moderate Revision 4
Description:
The S3 Public Access Block is a security measure that ensures that all public access to S3 (Simple Storage Service) resources within an AWS account is blocked. This rule specifically focuses on implementing this block for AWS accounts compliant with the Federal Risk and Authorization Management Program (FedRAMP) Moderate Revision 4 requirements.
Troubleshooting Steps:
If you encounter any issues related to implementing the S3 Public Access Block for FedRAMP Moderate Revision 4, follow these troubleshooting steps:
- 1.
Verify the AWS account's compliance: Check whether the AWS account is classified as FedRAMP Moderate Revision 4 compliant. Ensure that all the necessary controls and requirements are met.
- 2.
Review S3 Public Access settings: Confirm the current status of the S3 Public Access settings in the AWS Management Console. Ensure that it is enabled and configured correctly.
- 3.
Check IAM policies: Inspect the IAM (Identity and Access Management) policies associated with the account. Ensure that they do not allow any unintended public access to S3 resources.
- 4.
Review Bucket policies: Analyze the bucket policies associated with each S3 bucket in the account. Ensure that no policies allow public access to the buckets.
- 5.
Audit Access Control Lists (ACLs): Review the Access Control Lists applied to S3 buckets. Confirm that there are no permissive rules granting public access.
- 6.
Enable AWS CloudTrail: Enable AWS CloudTrail to monitor and log all API activity within the AWS account. This will help identify any unauthorized attempts to change S3 Public Access settings.
Necessary Codes:
No specific code is required for this rule, as it involves enabling and configuring the S3 Public Access Block through the AWS Management Console.
Step-by-Step Guide for Remediation:
Follow these steps to remediate and configure the S3 Public Access Block for FedRAMP Moderate Revision 4:
- 1.
Sign in to the AWS Management Console using your AWS account credentials.
- 2.
Open the Amazon S3 console.
- 3.
Navigate to the "Permissions" tab.
- 4.
In the left navigation pane, click on "Block public access".
- 5.
Click on "Edit".
- 6.
Ensure that all the settings under "Account-level public access settings" are disabled. Make sure "Block all public access" is selected.
- 7.
Review and understand the impact of blocking public access before confirming the changes.
- 8.
Click on "Save" to apply the configuration changes.
- 9.
Repeat the above steps for each AWS account that needs to be in compliance with the FedRAMP Moderate Revision 4 requirements.
- 10.
Periodically review the S3 Public Access settings to ensure ongoing compliance and security.
Conclusion:
By implementing the S3 Public Access Block for accounts compliant with FedRAMP Moderate Revision 4, you can prevent unintentional exposure of S3 resources to the public. Following the troubleshooting steps and using the provided guide for remediation will help ensure your AWS account is secure and meets the necessary regulatory requirements. Remember to review and update the S3 Public Access settings regularly to maintain a secure environment.