Rule: S3 Buckets Should Prohibit Public Read Access
This rule ensures that S3 buckets do not allow public read access for better security measures.
| Rule | S3 buckets should prohibit public read access |
| Framework | HIPAA |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that S3 buckets in an environment where HIPAA compliance is required are configured to prohibit public read access. Public read access refers to the permission settings that allow any user, authenticated or not, to read the contents of a bucket. By prohibiting public read access, the rule aims to protect sensitive data covered by HIPAA regulations from being accessed by unauthorized individuals or entities.
Troubleshooting Steps:
- 1.Check the bucket policy: Verify if the bucket policy allows or denies public read access.
- 2.Check the access control list (ACL): Verify the ACL settings to ensure there are no permissions granting public read access.
- 3.Check for public URLs: Scan the bucket for publicly accessible URLs using a tool like S3 Scanner or manually reviewing the objects' permissions.
Necessary Codes:
No specific codes are required for this rule. However, you can use AWS Command Line Interface (CLI) commands to check and modify the bucket policy and ACL.
Step-by-Step Guide for Remediation:
- 1.List all S3 buckets in your AWS account:
aws s3 ls
- 1.For each bucket identified as subject to HIPAA compliance, validate the bucket policy:
aws s3api get-bucket-policy --bucket <bucket-name>
Ensure the policy does not contain any statements allowing public read access.
- 1.Validate the bucket's access control list (ACL):
aws s3api get-bucket-acl --bucket <bucket-name>
Make sure that public read access is not granted at the bucket level.
- 1.Inspect the permissions of individual objects within the bucket:
aws s3api list-objects --bucket <bucket-name>
Verify that there are no objects with public read permissions.
- 1.If you find public access in bucket policy, modify it to deny public read access:
aws s3api put-bucket-policy --bucket <bucket-name> --policy <policy-json-file>
The <policy-json-file> should reflect the desired policy for the bucket, explicitly denying public read access.
- 1.If you find public access in bucket ACL, modify it to deny public read access:
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
This command sets the bucket's ACL to be private, removing any public access granted.
- 1.For individual objects with public read access, modify the permissions:
aws s3api put-object-acl --bucket <bucket-name> --key <object-key> --acl private
Replace <object-key> with the actual key of the object that needs its permissions updated.
- 1.Repeat steps 2-7 for all relevant buckets to ensure public read access has been sufficiently prohibited.
Note: It is essential to understand the impact of changes made to bucket policies and ACLs. Ensure that the necessary permissions are granted to legitimate authenticated users or entities and that the modifications align with your organization's policies and HIPAA compliance requirements.
By following this step-by-step guide, you can remediate S3 buckets to prohibit public read access, ensuring compliance with HIPAA regulations.