This rule ensures blocking S3 public access at both account and bucket levels.
Rule | S3 public access should be blocked at account and bucket levels |
Framework | HIPAA |
Severity | ✔ Medium |
Rule Description:
This rule aims to ensure that public access to Amazon S3 buckets is blocked at both the account and bucket levels, in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Troubleshooting Steps:
If the S3 public access is not blocked at the account and bucket levels, follow these troubleshooting steps:
Confirm the bucket policy: Ensure that there are no bucket policies allowing public access. If a bucket policy allows public access, modify or remove it to restrict public access.
Check the bucket access control list (ACL): Ensure that the bucket ACL does not grant 'public-read' or 'public-read-write' permissions to any user or group. Modify the bucket ACL to remove any public access permissions.
Review the account-level settings: Cross-check the account-level settings to ensure that they do not allow public access to S3 buckets.
Verify the bucket permissions: Verify that the bucket permissions only allow authorized users, roles, or groups to access the contents of the bucket.
Code:
If necessary, you can use the following code examples to block S3 public access at the account and bucket levels.
Account-level Public Access Block:
To block public access at the account level, add or modify the "PublicAccessBlockConfiguration" in the account's S3 bucket policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Bucket-level Public Access Block:
To block public access at the bucket level, modify the bucket policy to include the "PublicAccessBlockConfiguration" block and set the necessary block settings.
{
"Version": "2012-10-17",
"Id": "BlockPublicAccess",
"Statement": [
{
"Sid": "BlockPublicACL",
"Effect": "Block",
"Principal": "*",
"Action": "s3:PutBucketAcl",
"Resource": "arn:aws:s3:::example-bucket"
},
{
"Sid": "BlockPublicPolicy",
"Effect": "Block",
"Principal": "*",
"Action": "s3:PutBucketPolicy",
"Resource": "arn:aws:s3:::example-bucket"
},
{
"Sid": "DenyPublicWrite",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectVersion"],
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Remediation Steps:
To remediate the S3 public access issue, follow these steps:
Review all existing bucket policies: Start by reviewing all bucket policies within your AWS account. Identify any policies that allow public access and modify or remove them accordingly.
Modify bucket ACLs: Ensure that the Access Control Lists (ACLs) for all relevant buckets do not grant 'public-read' or 'public-read-write' permissions. Remove any public access permissions from the bucket ACLs.
Enable account-level public access block: Add or modify the account-level S3 bucket policy to include the "PublicAccessBlockConfiguration" block. Ensure that public access is blocked for all buckets within the account.
Update bucket policies: Modify the bucket policies to incorporate the "PublicAccessBlockConfiguration" block and set the necessary block settings to prohibit public access.
Validate changes: After applying the remediation steps, thoroughly test the S3 buckets' accessibility and ensure that public access is blocked at both the account and bucket levels.
Note: The above steps and code examples provide a general guideline for blocking S3 public access at the account and bucket levels. Make sure to tailor the steps and code to match your specific AWS environment and requirements.