Rule: S3 Public Access Should Be Blocked at Account Level
This rule ensures blocking public access for S3 at account level to enhance security.
| Rule | S3 public access should be blocked at account level |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
The rule requires that S3 public access be blocked at the account level to align with the security requirements outlined in the NIST 800-171 Revision 2 standard. Public access to S3 buckets and objects increases the risk of unauthorized access and data leakage. By blocking public access at the account level, organizations can ensure that their S3 data remains secure and confidential.
Troubleshooting Steps:
If you encounter any issues while implementing this rule, follow these troubleshooting steps:
- 1.
Verify your AWS account permissions: Ensure that you have the necessary permissions (such as administrator access) to modify the S3 bucket settings and block public access at the account level.
- 2.
Check existing S3 bucket policies: Review any existing bucket policies that might allow public access. Evaluate the policies to determine if they comply with the NIST 800-171 Revision 2 standard. Make necessary changes to align them with the rule.
- 3.
Review block public access settings: Review the current block public access settings for your S3 buckets. Ensure that the settings are enabled and configured correctly to block public access to the buckets at the account level.
- 4.
Modify bucket policies: If necessary, modify the bucket policies to explicitly deny public access. Follow AWS documentation on how to create or modify bucket policies.
- 5.
Test bucket accessibility: After implementing the changes, perform thorough testing to ensure that the S3 buckets no longer allow public access. Test access both internally and externally (if applicable) to validate the changes.
Necessary Codes:
In order to block public access at the account level, you can use the following AWS CLI command:
aws s3control put-public-access-block --account-id <your-account-id> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
This command will set the public access block for all current and future S3 buckets in your AWS account.
Step-by-Step Guide for Remediation:
Follow these steps to remediate this rule and block public access at the account level for NIST 800-171 Revision 2 compliance:
- 1.
Review AWS account permissions: Ensure that you have the necessary administrative access to modify the S3 bucket settings.
- 2.
Verify block public access settings: Check the block public access settings by:
a. Log in to the AWS Management Console.
b. Navigate to the S3 service.
c. Select the "Account-level Block Public Access" tab.
- 3.
Enable block public access settings: If the block public access settings are not already enabled, click on the "Edit" button and enable the settings according to the following configuration:
Block Public Access to Bucket and Objects granted through new access control lists (ACLs): Enable
Block Public Access to Bucket and Objects granted through any access control lists (ACLs): Enable
Block Public Access to Bucket and Objects granted through new public bucket or access point policies: Enable
Block Public and Cross-account Access to Buckets and Objects through any public bucket or access point policies: Enable
- 4.
Apply changes: Click on the "Save" button to apply the block public access settings to your AWS account.
- 5.
Verify the changes: Review the block public access settings again to confirm that they are now enabled.
- 6.
Test S3 bucket accessibility: Perform thorough testing to ensure that the S3 buckets no longer allow public access. Access the buckets internally and externally (if applicable) to validate the changes.
By following these steps and implementing the necessary changes, you can block public access at the account level for NIST 800-171 Revision 2 compliance.