Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Prohibit Public Write Access

This rule ensures S3 buckets do not allow public write access to maintain data security.

RuleS3 buckets should prohibit public write access
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description:

This rule ensures that the S3 buckets in an organization's AWS environment do not allow public write access. It is specifically aligned with the security requirement stated in NIST 800-171 Revision 2, a standard for protecting controlled unclassified information (CUI) in non-federal systems and organizations.

Troubleshooting Steps:

If an S3 bucket has public write access, it can pose a security risk, potentially allowing unauthorized individuals or entities to modify, delete, or inject malicious content into the bucket. To troubleshoot and remediate this issue, follow these steps:

  1. 1.

    Identify the affected S3 bucket: Start by identifying the S3 bucket(s) that allow public write access. This can be done by listing all the S3 buckets in your AWS account or by using AWS CloudTrail logs to identify any unauthorized or unexpected write operations.

  2. 2.

    Review bucket policies and access control lists (ACLs): Check the bucket policies and access control lists associated with the identified S3 bucket(s). Focus on identifying any entries that grant public write access or contain overly permissive permissions allowing unauthenticated access.

  3. 3.

    Update bucket policies and ACLs: Modify the bucket policies and ACLs to prohibit public write access. Remove any entries that allow public write access or tighten the permissions to the minimum necessary to meet your organization's requirements.

  4. 4.

    Test the changes: After updating the bucket policies and ACLs, thoroughly test the changes to ensure they have effectively restricted public write access. Attempt to write objects to the bucket from an unauthenticated user or entity to verify that such actions are no longer permitted.

Necessary Codes (if applicable):

In most cases, the necessary remediation steps can be accomplished through the AWS Management Console. However, if you prefer using the AWS Command Line Interface (CLI) or scripting, here are some examples of relevant AWS CLI commands:

  1. 1.
    To update the bucket policy, use the following command:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://bucket-policy.json

Replace

<bucket-name>
with the name of your S3 bucket and provide the necessary bucket policy details in the JSON file.

  1. 1.
    To update the bucket ACL, use the following command:
aws s3api put-bucket-acl --bucket <bucket-name> --acl private

Replace

<bucket-name>
with the name of your S3 bucket.

Remember to replace any placeholders (such as

<bucket-name>
) with the actual values corresponding to your environment.

Remediation Steps:

Follow these step-by-step guidelines to remediate the S3 buckets and prohibit public write access:

  1. 1.

    Sign in to the AWS Management Console.

  2. 2.

    Open the Amazon S3 service.

  3. 3.

    Identify the S3 bucket(s) that allow public write access.

  4. 4.

    Select the bucket you want to modify.

  5. 5.

    Click on the "Permissions" tab.

  6. 6.

    In the "Bucket Policy" section, click on "Edit".

  7. 7.

    Update the bucket policy to restrict public write access. Remove any entries that allow public write access or modify the policy to only allow the necessary write permissions for authorized users or entities. Make sure the policy does not include

    "Effect": "Allow"
    for actions like
    "s3:PutObject"
    or
    "s3:PutObjectAcl"
    when the principal is
    "AWS": "*"
    or
    "AllUsers"
    .

  8. 8.

    Click on "Save changes".

  9. 9.

    Go back to the "Permissions" tab.

  10. 10.

    In the "Access control list" section, click on "Edit".

  11. 11.

    Update the ACL to prohibit public write access. Ensure that the "Everyone (public access)" entry or any other entries allowing write access are removed.

  12. 12.

    Click on "Save changes".

  13. 13.

    Test the changes by attempting to write objects to the bucket from an unauthenticated user or entity. Confirm that such actions are now blocked.

  14. 14.

    Repeat the process for any other identified S3 buckets allowing public write access.

By following these steps, you can successfully remediate the S3 buckets and enforce the prohibition of public write access, meeting the requirements set forth in NIST 800-171 Revision 2.

Is your System Free of Underlying Vulnerabilities?
Find Out Now