Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Prohibit Public Read Access

This rule ensures S3 buckets do not allow public read access, maintaining data security.

RuleS3 buckets should prohibit public read access
FrameworkNIST 800-171 Revision 2
Severity
Medium

Rule/Policy Description:

The rule requires that all S3 buckets in the AWS environment should be configured to prohibit public read access in compliance with the National Institute of Standards and Technology (NIST) 800-171 Revision 2 security guidelines.

Troubleshooting Steps:

  2. 1.

    Identify S3 buckets: List all S3 buckets in the AWS environment to determine which buckets are non-compliant with the rule.

    • AWS CLI Command: 
      aws s3 ls
  4. 2.

    Review bucket policies and permissions: Examine the permissions and policies of each S3 bucket to identify any instances where public read access is allowed.

    • AWS Management Console: Navigate to the S3 service, select a bucket, and review the "Permissions" tab.
    • AWS CLI Command: 
      aws s3api get-bucket-policy --bucket BUCKET_NAME
  6. 3.

    Check bucket ACLs: Inspect the Access Control Lists (ACLs) of the S3 buckets to identify any public read access permissions.

    • AWS Management Console: Navigate to the S3 service, select a bucket, and review the "Permissions" tab.
    • AWS CLI Command: 
      aws s3api get-bucket-acl --bucket BUCKET_NAME

Remediation Steps:

  2. 1.

    Review bucket requirements: Familiarize yourself with the NIST 800-171 Revision 2 guidelines for S3 bucket access. Ensure that all requirements are met before proceeding with the remediation steps.

  4. 2.

    Modify bucket policy: If any S3 bucket has a policy allowing public read access, modify the bucket policy to remove the public access permission.

    • AWS Management Console: Navigate to the S3 service, select a bucket, go to the "Permissions" tab, and edit the bucket policy. Remove any statements granting public access.
    • AWS CLI Command: 
      aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://bucket-policy.json
      (replace 
      bucket-policy.json
      with the corrected policy file)

    Example bucket policy to prohibit public read access:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicReadAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::BUCKET_NAME/*"]
    }
  ]
}
  6. 3.

    Update bucket ACL: If any S3 bucket has Access Control Lists (ACLs) allowing public read access, modify the ACLs to remove the public access permission.

    • AWS Management Console: Navigate to the S3 service, select a bucket, go to the "Permissions" tab, and edit the ACL. Remove any entries granting public access.
    • AWS CLI Command: 
      aws s3api put-bucket-acl --bucket BUCKET_NAME --acl private
  8. 4.

    Verify changes: Confirm that the modifications are successful by reviewing the bucket policies and ACLs for all S3 buckets that were non-compliant.

    • AWS Management Console: Navigate to the S3 service, select a bucket, and review the "Permissions" tab.
    • AWS CLI Command: 
      aws s3api get-bucket-policy --bucket BUCKET_NAME
      and 
      aws s3api get-bucket-acl --bucket BUCKET_NAME
  10. 5.

    Monitor and enforce compliance: Regularly audit and verify the S3 bucket configurations to ensure ongoing adherence to the NIST 800-171 Revision 2 guidelines. Implement mechanisms or services that automatically detect and remediate any violations promptly.

Note: It is recommended to test the changes in a non-production environment before applying them in a production environment. Keep a record of the updated bucket policies and ACLs for documentation and auditing purposes.

Is your System Free of Underlying Vulnerabilities?
Find Out Now