Rule: S3 Buckets Should Prohibit Public Read Access
This rule specifies that S3 buckets must restrict public read access to enhance cybersecurity controls.
| Rule | S3 buckets should prohibit public read access |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ Medium |
Rule Description:
The S3 buckets in the system should follow the policy of prohibiting public read access for Federal Financial Institutions Examination Council (FFIEC). This is to ensure the security and confidentiality of sensitive financial information stored in the S3 buckets.
Troubleshooting Steps (if applicable):
If there is an issue with public access to the S3 buckets for FFIEC, consider the following troubleshooting steps:
- 1.
Verify Bucket Permissions: Check the permissions of the S3 bucket to confirm if it allows public access.
- 2.
Review Bucket Policies: Examine the existing bucket policies for any misconfigurations or rules that might grant public read access.
- 3.
Check Bucket ACLs: Ensure that the Access Control Lists (ACLs) for the bucket don't have permissions that allow public access.
- 4.
Audit IAM Policies: Review the IAM policies associated with the bucket to ensure that there are no policies that inadvertently grant public access.
- 5.
Verify Public Access Blocks: Ensure that the Public Access Block feature is enabled for the bucket, which prevents public access to the bucket and its contents.
Necessary Codes (if applicable):
In order to enforce the prohibition of public read access for FFIEC, you will need to configure the appropriate permissions and policies for the S3 bucket. Here is an example of a bucket policy that denies public read access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicReadAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-id"
}
}
}
]
}
You need to replace
bucket-namevpce-idRemediation Steps:
To remediate the public read access issue for FFIEC in S3 buckets, follow these steps:
- 1.
Identify the S3 bucket: Determine the specific S3 bucket that needs to be configured to prohibit public read access.
- 2.
Create or update the bucket policy: Apply the necessary policy to the bucket using the AWS Management Console, AWS CLI, or AWS SDKs. Use the provided example code for denying public read access.
- 3.
Enable Public Access Block: Verify that the Public Access Block feature is enabled for the bucket, so it can prevent public access to the bucket and its contents. You can enable this feature through the AWS Management Console, AWS CLI, or AWS SDKs.
- 4.
Test the configuration: Validate the changes by attempting to access the bucket publicly using different user roles or anonymous access. Confirm that the bucket denies read access to unauthorized entities.
- 5.
Monitor and maintain: Regularly monitor the bucket's permissions to ensure they remain in compliance. Stay up to date with any changes in regulations or security best practices that may require adjustments to the bucket policies.
By following these steps, you can successfully prohibit public read access for FFIEC in S3 buckets, ensuring the protection of sensitive financial information.