Rule: S3 Public Access Should Be Blocked at Account Level
This rule ensures S3 public access is restricted at the account level to enhance security measures.
| Rule | S3 public access should be blocked at account level |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
S3 Public Access Blocking for NIST 800-171 Revision 2
Description:
This rule is designed to ensure that public access to any Amazon S3 bucket is blocked at the account level, aligning with the security requirements defined in NIST 800-171 Revision 2. By implementing this rule, organizations can protect sensitive data stored in their S3 buckets and prevent unauthorized access.
Troubleshooting Steps:
In case you encounter any issues in implementing or enforcing this rule, you can follow these troubleshooting steps:
- 1.
Verify AWS account permissions: Ensure that you have sufficient permissions in your AWS account to configure S3 bucket policies. You should have administrative or sufficient IAM permissions to modify bucket policies.
- 2.
Check existing bucket policies: Review the existing bucket policies for your S3 buckets. Ensure that there are no conflicting or overlapping policies that may allow public access.
You can check the bucket policies by navigating to the AWS S3 Management Console, selecting the bucket, and navigating to the "Permissions" tab. Under "Access control list (ACL)", click on "Bucket Policy" to view or edit the existing policy.
Necessary Code:
To enforce the S3 public access blocking at the account level, you can use the following code snippet as a bucket policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BlockPublicAccess", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }
Replace "YOUR_BUCKET_NAME" with the name of your S3 bucket.
Remediation Steps:
To remediate any non-compliant S3 buckets and enforce the public access blocking, follow these step-by-step remediation steps:
- 1.
Identify non-compliant S3 buckets: Review all the S3 buckets in your AWS account to identify non-compliant configurations. Non-compliant buckets are the ones that allow public access.
You can list all your S3 buckets by running the following AWS CLI command:
aws s3 ls - 2.
Update bucket policy: For each non-compliant S3 bucket identified, update the bucket policy to enforce public access blocking using the code snippet provided above.
Run the following AWS CLI command to update the bucket policy:
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy file://bucket-policy.jsonReplace "YOUR_BUCKET_NAME" with the name of the non-compliant S3 bucket, and "bucket-policy.json" with the path to the file containing the updated bucket policy.
- 3.
Verify the public access block: After updating the bucket policies, verify that the public access to the buckets has been successfully blocked.
You can navigate to the AWS S3 Management Console, select the bucket, and navigate to the "Permissions" tab. Ensure that the updated bucket policy is in effect and public access is denied.
- 4.
Repeat for all non-compliant buckets: Repeat steps 2 and 3 for each non-compliant S3 bucket identified during the initial assessment.
- 5.
Regularly review and monitor: Implement a process to regularly review and monitor the S3 bucket policies to ensure continuous compliance with the public access blocking rule.