This rule ensures that S3 buckets do not allow public read access for better data security.
Rule | S3 buckets should prohibit public read access |
Framework | HIPAA |
Severity | ✔ Medium |
Rule Description:
S3 buckets that handle HIPAA data should have an access policy configured to prohibit public read access. This policy ensures the confidentiality of the sensitive data stored in the buckets and helps to comply with HIPAA regulations.
Troubleshooting Steps:
If public read access is identified in an S3 bucket handling HIPAA data, the following troubleshooting steps can be taken:
Necessary Codes:
In order to enforce the prohibition of public read access for HIPAA S3 buckets, a bucket policy with explicit deny statements can be created. Below is an example of a bucket policy denying public read access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicRead",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalOrgID": "YOUR_AWS_ORGANIZATION_ID"
}
}
}
]
}
Make sure to replace
"bucket-name"
with the actual name of the S3 bucket.Remediation Steps:
To remediate the S3 bucket and enforce the prohibition of public read access, follow these steps:
By following these steps, you can ensure that S3 buckets storing HIPAA data do not allow public read access, thus maintaining the security and compliance of the data.