Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets do not allow public write access to maintain security standards.
| Rule | S3 buckets should prohibit public write access |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
Rule Description:
This rule mandates that S3 buckets should not allow public write access in accordance with the guidelines outlined in NIST 800-53 Revision 4. It ensures that the buckets are configured to prevent unauthorized users from uploading or writing data to the bucket.
Reasoning:
Allowing public write access to S3 buckets can lead to various security risks, such as unauthorized data modification, accidental data leakage, or even complete data loss. By enforcing this rule, organizations can maintain proper access controls and protect the integrity and confidentiality of their data stored in S3 buckets.
Remediation:
To remediate this issue, you need to review and update the access control settings of the S3 bucket to restrict public write access. Follow the step-by-step guide below to apply the necessary changes.
Step 1: Access the AWS S3 Management Console
- 1.Login to the AWS Management Console.
- 2.Navigate to the S3 service.
Step 2: Select the Target S3 Bucket
- 1.From the list of available S3 buckets, select the one that needs to be modified.
- 2.Click on the bucket name to access its details.
Step 3: Modify Bucket Permissions
- 1.In the bucket details view, click on the "Permissions" tab.
- 2.Click on the "Block public access" button.
Step 4: Disable Public Write Access
- 1.
Under "Block public access (bucket settings)", ensure that all the following options are enabled:
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- Block public access to buckets and objects granted through new public bucket or access point policies
- Block public and cross-account access to buckets and objects through any public bucket or access point policies
Note: Enabling these settings ensures that public write access is completely prohibited.
- 2.
Scroll down and click on the "Save" button to apply the changes.
Verification:
To verify that the S3 bucket no longer allows public write access, follow the steps below:
- 1.Access the detailed view of the modified bucket in the S3 Management Console.
- 2.Go to the "Permissions" tab.
- 3.Confirm that all the following options are enabled under "Block public access (bucket settings)":
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- Block public access to buckets and objects granted through new public bucket or access point policies
- Block public and cross-account access to buckets and objects through any public bucket or access point policies
If all these settings are enabled, public write access is indeed prohibited as per the NIST 800-53 Revision 4 guidelines.
Troubleshooting:
- 1.If any scripts or applications require write access to the S3 bucket, make sure to create appropriate IAM roles and assign them to authorized entities.
- 2.Ensure that all relevant AWS policies are correctly applied to prevent public write access.
- 3.Review and audit the bucket's access control settings regularly to ensure ongoing compliance and security.