Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Prohibit Public Read Access

This rule ensures S3 buckets restrict public read access, promoting data security.

RuleS3 buckets should prohibit public read access
FrameworkNIST 800-53 Revision 4
Severity
Medium

Rule Description:

This rule enforces the prohibition of public read access for S3 buckets in compliance with the NIST 800-53 Revision 4 security framework. Public read access to S3 buckets can expose sensitive data to unauthorized access and pose a significant security risk.

Troubleshooting Steps:

  2. 1.
    Identify the S3 buckets that have public read access.
  4. 2.
    Review the bucket policies and access control lists (ACLs) for each bucket.
  6. 3.
    Analyze the IAM policies attached to users, groups, and roles that interact with the buckets.
  8. 4.
    Check if any third-party applications or services have permissions to access the buckets.

Code Example:

To enforce the prohibition of public read access for S3 buckets, use the following bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicRead",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "Anonymous"
                }
            }
        }
    ]
}

Remediation Steps:

  2. 1.
    Identify the S3 bucket that needs to have public read access prohibited.
  4. 2.
    Open the Amazon S3 management console.
  6. 3.
    Navigate to the bucket that needs to be updated.
  8. 4.
    Select the "Permissions" tab.
  10. 5.
    In the "Bucket Policy" section, click on "Edit".
  12. 6.
    Replace any existing bucket policy with the code example provided above.
  14. 7.
    Click on "Save" to apply the new bucket policy.

Alternatively, you can use the AWS Command Line Interface (CLI) to apply the bucket policy. Follow these steps:

  2. 1.
    Open the terminal or command prompt.
  4. 2.
    Run the following command, replacing "EXAMPLE-BUCKET" with your bucket name:
aws s3api put-bucket-policy --bucket EXAMPLE-BUCKET --policy '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPublicRead",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::EXAMPLE-BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "Anonymous"
                }
            }
        }
    ]
}'
  2. 1.
    Verify that the bucket policy was applied successfully by checking the S3 bucket's permissions in the management console.

By applying this bucket policy, you ensure that the S3 bucket does not allow public read access, thus aligning with the NIST 800-53 Revision 4 security requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now