This rule pertains to restricting public write access for S3 buckets.
Rule | S3 buckets should prohibit public write access |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ High |
Rule Description
The policy ensures that S3 buckets in compliance with NIST 800-171 Revision 2 should prohibit public write access. This rule aims to enhance the security and privacy of sensitive data stored in S3 buckets by preventing unauthorized write operations from public sources.
Troubleshooting Steps
Step 1: Determine if any S3 bucket allows public write access.
Step 2: Identify any existing public write access permissions.
Step 3: Modify the permissions to prohibit public write access.
Step 4: Verify the changes.
Necessary Codes
There are no specific codes necessary for this rule. However, the following example demonstrates how to update an S3 bucket policy to prohibit public write access:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyPublicWrites",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::EXAMPLE_BUCKET_NAME/*",
"Condition":{
"StringEquals":{
"aws:PrincipalOrgID":"*"
}
}
}
]
}
This policy denies any attempt to perform a "PutObject" action on the specified bucket ("EXAMPLE_BUCKET_NAME") from any principal ("*"), effectively prohibiting public write access.
Remediation Steps
Step 1: Identify the S3 bucket requiring remediation.
Step 2: Update the bucket policy to remove public write access.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyPublicWrites",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::EXAMPLE_BUCKET_NAME/*",
"Condition":{
"StringEquals":{
"aws:PrincipalOrgID":"*"
}
}
}
]
}
Step 3: Verify the changes.
By following these steps, you can remediate the S3 bucket and enforce the prohibition of public write access according to the NIST 800-171 Revision 2.