Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Public Access Blocked at Account Level

This rule ensures S3 public access is blocked at the account level to maintain security.

RuleS3 public access should be blocked at account level
FrameworkGxP 21 CFR Part 11
Severity
Medium

Rule Description:

This rule is aimed at ensuring that public access to Amazon S3 (Simple Storage Service) is blocked at the account level for organizations complying with GxP 21 CFR Part 11 regulations. GxP refers to Good Practice, which includes guidelines and regulations for various industries, such as pharmaceuticals, biotechnology, and medical devices. 21 CFR Part 11 specifically pertains to the use of electronic records and electronic signatures in these regulated industries.

To comply with GxP 21 CFR Part 11, it is crucial to secure sensitive data stored in Amazon S3 buckets by blocking public access at the account level. By implementing this rule, organizations can prevent unauthorized access to their data, ensuring data integrity, confidentiality, and compliance with regulatory standards.

Troubleshooting Steps:

Troubleshooting steps may not be applicable for this specific rule, as it involves implementing a security measure rather than resolving issues. However, if any issues arise during the implementation process or if public access is mistakenly granted, the following steps can be taken:

  1. 1.

    Verify the existing S3 bucket configurations: Check the bucket policies, access control lists (ACLs), and permission settings to ensure that the desired level of public access restriction is in place.

  2. 2.

    Review AWS Identity and Access Management (IAM) policies: Analyze the IAM policies associated with the S3 bucket to ensure they align with the rule requirements. Make sure that there are no policies allowing public access unintentionally.

  3. 3.

    Check bucket-level permissions: Double-check the bucket-level permissions to confirm that public access is blocked. Look for any permissions granted to "All Users" or "Authenticated Users" that might override the desired restriction.

  4. 4.

    Test bucket access: Attempt to access the S3 bucket using different user roles or credentials to verify that public access is indeed blocked. This step ensures that the rule is correctly implemented and functional.

Necessary Codes:

This rule does not require any specific code to be written. However, the following code snippet represents a sample "block public access" policy that can be applied at the account level to enforce the rule:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BlockPublicAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Step-by-step Guide for Remediation:

To implement the rule and block public access at the account level for GxP 21 CFR Part 11 compliance, follow these step-by-step instructions:

  1. 1.

    Identify the AWS account associated with the S3 buckets that need public access blocking.

  2. 2.

    Access the AWS Management Console using appropriate credentials.

  3. 3.

    Navigate to the S3 service from the AWS Management Console.

  4. 4.

    Select the target S3 bucket that requires public access blocking.

  5. 5.

    Click on the "Permissions" tab.

  6. 6.

    Review the bucket policies, access control lists (ACLs), and permission settings to ensure there are no existing configurations that allow public access unintentionally.

  7. 7.

    If necessary, modify the bucket policy to add the "block public access" rule. Replace

    "bucket-name"
    in the sample code with the actual name of the bucket.

  8. 8.

    Click on "Bucket Policy Editor" and paste the "block public access" policy code.

  9. 9.

    Save the policy by clicking "Save".

  10. 10.

    Check the bucket-level permissions again to verify that public access is blocked.

  11. 11.

    Test the bucket access using different user roles or credentials to confirm that public access is indeed blocked.

By following the above steps, public access will be effectively blocked at the account level for the specified S3 buckets, ensuring compliance with GxP 21 CFR Part 11 regulations.

Is your System Free of Underlying Vulnerabilities?
Find Out Now