Rule: S3 Public Access Should Be Blocked at Bucket Levels
This rule ensures blocking public access at bucket levels for high security
| Rule | S3 public access should be blocked at bucket levels |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description
This rule requires that public access to S3 buckets is blocked at the bucket level, in compliance with the NIST 800-53 Revision 5 security standard. By preventing public access, you minimize the risk of unauthorized access to sensitive data stored in S3 buckets.
Troubleshooting Steps
If public access is not properly blocked at the bucket level, you can follow the troubleshooting steps below:
- 1.
Verify Bucket Policies: Check the bucket policies associated with the S3 buckets. Ensure that there are no policies allowing public access.
- 2.
Access Control List (ACL) Review: Review the Access Control List for the buckets. Make sure there are no permissions granted to "All Users" or "Public."
- 3.
Public Access Block Configuration: Check the Public Access Block configuration settings for the bucket. Ensure that the block is enabled and properly configured.
Necessary Code
The following code can be used to block public access at the bucket level:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicAccessBlock",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Note: Replace "BUCKET_NAME" with the actual name of your S3 bucket.
Remediation Steps
To block public access at the bucket level, follow the steps below:
- 1.
Navigate to the AWS Management Console and open the Amazon S3 service.
- 2.
Select the bucket for which you want to enable public access block.
- 3.
Click on the "Permissions" tab.
- 4.
Scroll down to the "Bucket Policy" section and click on the "Edit" button.
- 5.
Replace any existing bucket policies with the code provided above.
- 6.
Save the updated policy.
- 7.
Scroll down to the "Block public access" section and click on the "Edit" button.
- 8.
Enable the following settings:
- Block all public access
- Block public access to buckets and objects granted through new public bucket policies
- Block public and cross-account access to buckets and objects through any public bucket policies
- 9.
Save the public access block settings.
- 10.
Repeat the above steps for any other S3 buckets that require public access block.
By implementing these steps, you will ensure that public access to S3 buckets is successfully blocked at the bucket level, complying with the NIST 800-53 Revision 5 security requirements.