Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Public Access Blocked at Account Level

This rule ensures S3 public access is blocked at account level.

RuleS3 public access should be blocked at account level
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule/Policy Description:

The rule/policy to be implemented is to block S3 public access at the account level, in accordance with the NIST 800-53 Revision 5 security guidelines. This rule is aimed at preventing unauthorized access to data stored in Amazon S3 buckets and ensuring the confidentiality and integrity of the stored data.

Troubleshooting Steps (if applicable):

If there are any issues or limitations in implementing this rule, the following troubleshooting steps can be taken:

  1. 1.

    Verify IAM permissions: Ensure that the account has the necessary IAM permissions to manage S3 bucket policies and access control settings.

  2. 2.

    Check existing S3 bucket policies: Review the existing policies applied to the S3 buckets and identify if any conflicting policies might be allowing public access.

  3. 3.

    Review S3 bucket ACLs: Verify the Access Control Lists (ACLs) of the S3 buckets and ensure that there are no entries allowing public access.

  4. 4.

    Check permission boundary: Confirm that the permission boundary set for IAM users, groups, or roles does not allow them to override the account-level S3 public access block.

  5. 5.

    Review S3 bucket policies from trusted sources: If bucket policies are imported from external sources, verify their integrity and ensure they do not allow public access.

  6. 6.

    Check VPC endpoint policies: If S3 access is enabled through VPC endpoints, review the associated endpoint policies and ensure they do not permit public access.

Necessary Codes (if applicable):

No specific codes are required for this rule. The implementation relies on configuring the account-level S3 public access block, which can be done directly through the AWS Management Console or using CLI commands.

Step-by-step Guide for Remediation:

To block S3 public access at the account level, follow these step-by-step instructions:

  1. 1.

    Log in to the AWS Management Console using your account credentials.

  2. 2.

    Navigate to the AWS S3 service.

  3. 3.

    From the S3 dashboard, click on the "Account Settings" link.

  4. 4.

    In the Account Settings page, scroll down to the "Block Public Access" section.

  5. 5.

    Ensure that all four options under "Bucket settings for Block Public Access" are set to "On" as follows:

    a. Block all public access:

    • Block public access to buckets and objects granted through new access control lists (ACLs)
    • Block public access to buckets and objects granted through any access control list (ACL)
    • Block public access to buckets and objects granted through new public bucket policies
    • Block public and cross-account access to buckets and objects through any public bucket policies
  6. 6.

    Click on the "Save changes" button to apply the settings.

  7. 7.

    Once the changes are saved, AWS S3 will prevent any public access to buckets and objects at the account level.

It is important to regularly review and monitor the S3 bucket policies, ACLs, and VPC endpoint configurations to ensure ongoing adherence to the rule and NIST 800-53 Revision 5 security guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now