Rule: S3 Buckets should prohibit public read access
This rule ensures that S3 buckets restrict public read access to maintain data security.
| Rule | S3 buckets should prohibit public read access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
This rule requires that all S3 buckets should have public read access disabled in order to comply with NIST 800-171 Revision 2 security standards. Allowing public read access to S3 buckets could potentially expose sensitive data to unauthorized users, which poses a security risk.
Troubleshooting Steps
If public read access is enabled for an S3 bucket, you need to follow these troubleshooting steps to rectify the issue:
- 1.Identify the affected S3 bucket(s) that have public read access enabled.
- 2.Review the permissions and policies associated with the S3 bucket to determine where the public read access is being granted.
- 3.Make sure that all policies and ACLs (Access Control Lists) are properly configured to restrict public access.
- 4.Check for any misconfigured IAM (Identity and Access Management) policies or roles that are allowing public read access.
- 5.Review any bucket policies or bucket ACLs that may be granting public read access.
- 6.Ensure that any associated data or objects within the bucket do not have public read permissions.
- 7.Test the access controls by attempting to access the bucket from an unauthorized account or user to confirm that public read access is properly restricted.
Necessary Codes
To prohibit public read access for an S3 bucket, you can use the following example code to define a bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicRead",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-your-vpce-id"
}
}
}
]
}
Please replace "your-bucket-name" with the actual name of your S3 bucket and "vpce-your-vpce-id" with the Amazon VPC endpoint ID to restrict access to your VPC only.
Step-by-Step Guide for Remediation
To remediate the S3 bucket and prohibit public read access, follow these steps:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon S3 service.
- 3.Locate the S3 bucket that needs to have public read access disabled.
- 4.Click on the bucket name to access its details.
- 5.In the bucket details, go to the "Permissions" tab.
- 6.Under "Bucket Policy", click on "Edit" to update the policy.
- 7.Replace the existing bucket policy with the code mentioned above, ensuring that you replace "your-bucket-name" and "vpce-your-vpce-id" with the appropriate values.
- 8.Click on "Save changes" to apply the new bucket policy.
- 9.Verify that public read access has been disabled by attempting to access the bucket using a non-privileged user or account.
- 10.Repeat these steps for any other S3 buckets that require the same remediation.
By following these steps and updating the bucket policy with the provided code, public read access will be prohibited for the S3 buckets, aligning with the security requirements specified in NIST 800-171 Revision 2.