Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Public Access Blocked at Account and Bucket Levels

This rule ensures that S3 public access is blocked at both account and bucket levels.

RuleS3 public access should be blocked at account and bucket levels
FrameworkHIPAA
Severity
Medium

Rule Description

This rule is designed to ensure that public access to Amazon S3 buckets within an AWS account is blocked, specifically for organizations that must comply with the Health Insurance Portability and Accountability Act (HIPAA). By blocking public access at both the account and bucket levels, it helps protect sensitive data and prevents accidental exposure.

Troubleshooting Steps

If you encounter any issues or unexpected behavior while implementing this rule, follow these troubleshooting steps:

  1. 1.

    Double-check the bucket-level permissions: Make sure that the bucket access permissions are properly set to block public access. Verify that the bucket policy and access control list (ACL) settings are correctly configured.

  2. 2.

    Review account-level settings: Verify that the account-level settings are enabled to block public access. Check that the AWS Organizations service control policies (SCPs) or account settings are correctly applied and not conflicting with the bucket-level permissions.

  3. 3.

    Check the bucket policies: Examine any existing bucket policies to ensure they don't allow public access. Review the policy statements and confirm that they only grant necessary access to authorized users or services.

  4. 4.

    Use the AWS S3 Block Public Access features: Make use of the available AWS S3 Block Public Access features to enforce public access blocking. Ensure that you have properly configured these settings and enabled all necessary features.

  5. 5.

    Audit and monitor access logs: Regularly review the access logs and CloudTrail logs to identify any attempts or instances of forbidden public access. This allows you to troubleshoot and address any potential security vulnerabilities.

Necessary Codes

In order to block public access at the account and bucket levels, the following code snippets can be used as a reference:

Account-level Block Public Access Settings (via AWS CLI):

aws s3control put-public-access-block --account-id YOUR_AWS_ACCOUNT_ID --public-access-block-configuration "BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true"

Bucket-level Block Public Access Settings (via AWS CLI):

aws s3api put-public-access-block --bucket YOUR_BUCKET_NAME --public-access-block-configuration "BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true"

Step-by-Step Guide for Remediation

Here is a step-by-step guide to implement the rule and block S3 public access at the account and bucket levels:

  1. 1.

    Account-level Configuration:

    • Open the AWS Management Console and navigate to the AWS Organizations service.
    • Ensure that you have the necessary permissions to modify account-level settings.
    • Enable the Block Public Access settings for the appropriate AWS accounts:
      • Navigate to the "Organize accounts" page.
      • Select the desired account and click on "Account settings."
      • Scroll down to the "Block Public Access" section and enable all options.
      • Save the changes.
  2. 2.

    Bucket-level Configuration:

    • Open the AWS Management Console and navigate to the Amazon S3 service.
    • Select the desired bucket for which you want to block public access.
    • Click on the "Permissions" tab.
    • Under the "Public access" section, click on "Edit."
    • Enable the following options to block public access:
      • Block new public ACLs
      • Block new public bucket policies
      • Block public and cross-account access if the bucket has public policies
      • Restrict access to this bucket only from within the VPC for any requests that are made over the internet
    • Save the changes.
  3. 3.

    Validation:

    • Double-check the account-level and bucket-level configurations to ensure that the Block Public Access settings are correctly applied.
    • Verify that public access to the S3 buckets is now blocked. Test by attempting to access the bucket using a public URL or unauthorized credentials.
    • Review the AWS S3 access logs and CloudTrail logs to ensure that no public access attempts are recorded.

By following these steps, you can effectively block public access to the S3 buckets within your AWS account, maintaining HIPAA compliance and safeguarding sensitive data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now