Rule for S3 Buckets Prohibiting Public Write Access
This rule ensures S3 buckets restrict public write access to enhance security.
| Rule | S3 buckets should prohibit public write access |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
The rule ensures that S3 buckets should prohibit public write access in accordance with the guidelines provided by NIST 800-171 Revision 2. This security requirement is essential to protect sensitive data and prevent unauthorized modifications or tampering from external entities.
Troubleshooting Steps
If public write access is enabled for an S3 bucket, it may lead to potential security risks. To troubleshoot and enforce the rule, follow these steps:
- 1.
Identify the S3 buckets: Generate a list of all S3 buckets in your AWS account.
- 2.
Check bucket permissions: Review the permissions for each bucket to identify any public write access settings.
- 3.
Disable public write access: Modify the bucket policies to remove public write access permissions.
- 4.
Test the configuration: Verify that the S3 buckets no longer allow public write access.
- 5.
Regularly monitor: Implement a process to periodically review the bucket permissions to ensure ongoing compliance.
Necessary Codes
Depending on your specific requirements, you may need to use AWS CLI commands or modify bucket policies using JSON.
To identify the S3 buckets, use the following AWS CLI command:
aws s3 ls
To retrieve bucket policies, use the following AWS CLI command:
aws s3api get-bucket-policy --bucket BUCKET_NAME
To remove public write access from the bucket policy, you can use this AWS CLI command as an example:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://policy.json
Ensure to replace
BUCKET_NAMEpolicy.jsonStep-by-Step Guide for Remediation
Follow these steps to enforce the prohibition of public write access for S3 buckets in accordance with NIST 800-171 Revision 2:
- 1.
Login to the AWS Management Console.
- 2.
Navigate to the AWS S3 service.
- 3.
Generate a list of all S3 buckets by running the following AWS CLI command:
aws s3 ls
- 1.Review the permissions of each bucket by executing the following AWS CLI command for each bucket:
aws s3api get-bucket-policy --bucket BUCKET_NAME
- 1.
Identify any S3 buckets that have public write access enabled in their policies.
- 2.
Create a JSON policy that removes the public write access permission from the bucket policy. An example policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicWriteAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
- 1.
Save the JSON policy in a file named
.policy.json - 2.
Update the bucket policy for each identified bucket using the AWS CLI command:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://policy.json
Remember to replace
BUCKET_NAMEpolicy.json- 1.Verify the effectiveness of the changes by rerunning the following AWS CLI command for each updated bucket:
aws s3api get-bucket-policy --bucket BUCKET_NAME
- 1.Implement a regular monitoring process to review and ensure continuous compliance with the rule.
By following these steps, you can prohibit public write access to S3 buckets as per the security guidelines specified in NIST 800-171 Revision 2.