Rule: S3 Public Access Blocked at Account Level
Ensure compliance by blocking S3 public access at account level.
| Rule | S3 public access should be blocked at account level |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description:
The rule states that public access to S3 buckets should be blocked at the account level, adhering to the guidelines provided by the NIST Cybersecurity Framework (CSF) version 1. This is essential for maintaining the security and confidentiality of data stored in S3 buckets.
Troubleshooting Steps:
If the S3 public access is not blocked at the account level, you may encounter the following issues:
- 1.
Unauthorized access: Publicly accessible S3 buckets can be accessed by anyone on the internet, potentially leading to unauthorized disclosure or modification of sensitive data.
- 2.
Data breaches: Publicly accessible S3 buckets increase the risk of data breaches, as cybercriminals can exploit misconfigurations or vulnerabilities to gain access to sensitive information.
- 3.
Compliance violations: Failure to block public access to S3 buckets may result in non-compliance with regulatory requirements, industry standards, and best practices.
Necessary Codes:
To block public access at the account level for S3 buckets, you can utilize the following code:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BlockPublicAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:GetBucketAcl",
"s3:PutBucketAcl",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Remediation Steps:
Follow these step-by-step instructions to remediate the S3 public access issue at the account level:
- 1.
Open the AWS Management Console and navigate to the AWS S3 service.
- 2.
Click on the "Services" dropdown menu at the top of the page and select "S3".
- 3.
On the S3 dashboard, click on "Settings" in the navigation panel.
- 4.
Under the "Block Public Access" section, click on the "Edit" button.
- 5.
Enable the following settings:
- Block all public access
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- 6.
Click on the "Save" button to apply the changes.
- 7.
Next, go to the "Permissions" tab in the navigation panel.
- 8.
Click on the "Bucket Policy" button.
- 9.
Replace any existing bucket policy with the provided code snippet.
- 10.
Click on the "Save" button to update the bucket policy.
- 11.
Repeat the above steps for all relevant S3 buckets in your AWS account.
By following these steps, you have successfully blocked public access at the account level for S3 buckets, aligning with the NIST CSF v1 guidelines. This ensures the security and protection of your data stored in S3 buckets, mitigating the risk of unauthorized access and potential data breaches.