Rule: S3 Buckets Should Prohibit Public Write Access
This rule ensures that S3 buckets are secured by prohibiting public write access.
| Rule | S3 buckets should prohibit public write access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
According to NIST 800-53 Revision 5, S3 buckets should not allow public write access. This means that only authorized users or applications should have the permission to write data to the S3 bucket, and public access should be restricted to read-only or completely denied.
Troubleshooting Steps:
- 1.
Check S3 Bucket Permissions: Review the bucket's access control settings to ensure that public write access is not granted.
- Open the AWS S3 Management Console and navigate to the bucket in question.
- Click on the "Permissions" tab and review the access control policies.
- 2.
Verify IAM Policies: Ensure that the IAM (Identity and Access Management) policies associated with the bucket do not grant public write permissions.
- Open the AWS IAM Management Console and navigate to the IAM policy attached to the user or role accessing the bucket.
- Review the policy to confirm that it does not allow public write access.
- 3.
Check Bucket Policies: Evaluate the bucket policies to ensure they do not permit public write access.
- Navigate to the bucket in the AWS S3 Management Console.
- Click on the "Permissions" tab and review the bucket policies associated with the bucket.
- Make sure the bucket policies do not contain any statements allowing public write access.
Necessary Codes:
No specific code snippets are required for this rule, as it primarily involves checking and modifying access control settings and policies.
Remediation Steps:
- 1.
Modify Bucket Access Control List (ACL): Adjust the bucket's Access Control List to deny public write access.
- Open the AWS S3 Management Console and navigate to the bucket in question.
- Click on the "Permissions" tab, and then choose "Access Control List".
- Ensure that there is no access granted to the "Everyone" group or any other public entities for write permissions. If found, remove the corresponding access rules.
- 2.
Update IAM Policies: Modify the IAM policy associated with the user or role accessing the bucket to prohibit public write access.
- Open the AWS IAM Management Console and navigate to the IAM policy attached to the user or role accessing the bucket.
- Review the policy and remove any statements allowing public write permissions.
- 3.
Adjust Bucket Policies: Modify the bucket policies to disallow public write access.
- Navigate to the bucket in the AWS S3 Management Console.
- Click on the "Permissions" tab and review the bucket policies associated with the bucket.
- Remove any statements that grant public write access.
- 4.
Validate Changes: After making the necessary adjustments, verify that public write access has been successfully prohibited for the S3 bucket.
- Attempt to write data to the bucket using a public URL or unauthorized user to confirm that write access is denied.
- Review the access control settings, IAM policies, and bucket policies to ensure they reflect the desired restrictions.
Note: Regularly monitor and audit your S3 bucket permissions to maintain compliance with NIST 800-53 and other security best practices.