Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Public Access Should Be Blocked at Account and Bucket Levels

This rule ensures that S3 public access is restricted at both account and bucket levels.

RuleS3 public access should be blocked at account and bucket levels
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Medium

Rule Description:

The rule states that for Federal Financial Institutions Examination Council (FFIEC), the public access to Amazon S3 should be blocked at both the account and bucket levels. This is in order to ensure the security and confidentiality of sensitive data stored in S3 buckets.

Enforcing this rule prevents unauthorized access from the public and helps to comply with FFIEC regulations and guidelines.

Troubleshooting Steps:

  2. 1.
    Check if the S3 bucket is set to block public access at the account level.
  4. 2.
    Verify if the S3 bucket has the necessary permissions and policies set to restrict public access at the bucket level.
  6. 3.
    Ensure that there are no misconfigurations or conflicting settings that allow public access to the S3 bucket.
  8. 4.
    Review the logging and monitoring setup to identify any attempts of unauthorized access.

Necessary Code:

To block public access at the account level, you can use the following code:

aws s3control put-public-access-block \
  --account-id <YOUR_ACCOUNT_ID> \
  --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

To block public access at the bucket level, you can use the following bucket policy:

{
    "Version": "2012-10-17",
    "Id": "BlockPublicAccess",
    "Statement": [
        {
            "Sid": "BlockPublicRead",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Replace 

YOUR_ACCOUNT_ID
with your AWS account ID and 
YOUR_BUCKET_NAME
with the name of your S3 bucket.

Remediation Steps:

  2. 1.

    Block public access at the account level:

    • Execute the provided code to block public access at the account level using the AWS CLI.
    • Verify that the account-level public access block is successfully implemented.
  4. 2.

    Block public access at the bucket level:

    • Assign the appropriate permissions to modify the bucket policy.
    • Update the bucket policy to include the provided JSON code.
    • Save and apply the updated bucket policy.
    • Verify that public access to objects in the bucket is denied.
  6. 3.

    Regularly monitor, audit, and review the S3 access controls and permissions:

    • Set up logging for S3 bucket access and analyze the logs for any suspicious activity.
    • Monitor AWS CloudTrail logs for any changes in S3 bucket policies or configurations.
    • Utilize AWS Config Rules to periodically check and validate the compliance of the S3 bucket settings.

By following the above steps, you can ensure that S3 public access is blocked at account and bucket levels for FFIEC compliance, reducing the risk of unauthorized access and ensuring the confidentiality of sensitive data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now