This rule ensures that S3 buckets do not allow public write access for enhanced security measures.
Rule | S3 buckets should prohibit public write access |
Framework | HIPAA |
Severity | ✔ High |
Rule Description:
This rule ensures that S3 buckets storing HIPAA compliant data prohibit public write access. This is crucial for maintaining the security and privacy of sensitive healthcare information stored in S3 buckets. Limiting write access to authorized users or applications helps prevent accidental or malicious alteration or deletion of data.
Troubleshooting Steps:
If public write access is mistakenly allowed for an S3 bucket holding HIPAA data, follow these troubleshooting steps to rectify the issue:
Necessary Code:
To enforce the policy of prohibiting public write access for an S3 bucket:
Bucket Policy:
You can attach this policy to the S3 bucket to enforce the prohibition of public write access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicWriteAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
}
]
}
Note: Replace "bucket-name" with the name of your S3 bucket.
AWS CLI Command:
To apply the bucket policy using the AWS Command Line Interface (CLI), execute the following command:
aws s3api put-bucket-policy --bucket bucket-name --policy file://path/to/policy.json
Note: Replace "bucket-name" with the name of your S3 bucket and "path/to/policy.json" with the path to the policy file on your local system.
Remediation Steps:
To remediate an S3 bucket that allows public write access for HIPAA data:
"Effect"
is set to "Deny"
for the "Action"
"s3:PutObject"
and allowing only "aws:SecureTransport"
with value "false"
as a condition.Implementing these steps will help ensure HIPAA compliance by disallowing public write access for S3 buckets containing sensitive healthcare data.