Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures that S3 buckets do not allow public read access to maintain data security.
| Rule | S3 buckets should prohibit public read access |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description
This rule enforces that S3 buckets must not allow public read access in order to comply with the requirements of GxP 21 CFR Part 11 regulations. GxP refers to good practices in various regulated industries such as pharmaceutical, biotechnology, and medical device manufacturing, and 21 CFR Part 11 outlines the criteria for electronic records and signatures.
Troubleshooting Steps (if applicable)
If public read access is discovered in an S3 bucket, follow the troubleshooting steps below to remediate the issue:
- 1.Identify the affected S3 bucket(s) that have public read access.
- 2.Verify if the public read access is intentional or accidental. If it is intentional and necessary, proceed with caution and ensure proper security measures are in place.
- 3.If the public read access is accidental or violates the GxP 21 CFR Part 11 regulations, continue with the remediation steps.
Necessary Codes (if applicable)
In some cases, applying specific IAM policies or bucket policies might be necessary. Here are some examples of necessary codes you can use to deny public read access:
Bucket Policy Example
Create or update the bucket policy with the following JSON configuration:
{
"Version": "2012-10-17",
"Id": "DisallowPublicReadAccess",
"Statement": [
{
"Sid": "DenyPublicReadGetObject",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
}
]
}
Replace "YOUR_BUCKET_NAME" with the actual name of the S3 bucket that needs to be secured.
IAM Policy Example
Create or update an IAM policy with the following JSON configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalType": "AllUsers"
}
}
}
]
}
Replace "YOUR_BUCKET_NAME" with the actual name of the S3 bucket that needs to be secured.
Remediation Steps
To ensure S3 buckets disallow public read access and comply with GxP 21 CFR Part 11 regulations, follow these step-by-step remediation guides:
- 1.
Identify all S3 buckets within your AWS account.
- 2.
Review the access permissions of each bucket to check for public read access.
- 3.
If any S3 bucket has public read access, apply the necessary codes mentioned above to deny public read access.
- If using the AWS Management Console:
- Open the Amazon S3 console.
- Select the bucket that needs to be secured.
- Go to the "Permissions" tab.
- Select "Bucket Policy" or "Access Control List" (ACL) depending on the existing configuration.
- Update the configuration with the necessary code examples provided above.
- Save the changes.
- If using the AWS Command Line Interface (CLI):
Open the command-line interface or terminal.
Run the following command to apply a bucket policy:
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy file://policy.jsonReplace "YOUR_BUCKET_NAME" with the actual name of the S3 bucket that needs to be secured.
Replace "policy.json" with the name of the JSON file containing the necessary bucket policy configuration.
- 4.
After applying the necessary configurations, verify that public read access is no longer permitted in the S3 buckets.
- 5.
Repeat this process periodically or automate it with AWS services to continuously monitor and prevent public read access in S3 buckets.
Note: It is recommended to involve relevant security and compliance teams during the remediation process to ensure adherence to applicable regulations and internal policies.
By following these steps, you can successfully prohibit public read access in S3 buckets to maintain compliance with GxP 21 CFR Part 11 regulations.