Rule: S3 Buckets should prohibit public write access
Ensure compliance by restricting public write access to S3 buckets.
| Rule | S3 buckets should prohibit public write access |
| Framework | PCI v3.2.1 |
| Severity | ✔ Critical |
Rule Description:
The rule states that S3 buckets should prohibit public write access for PCI v3 compliance. This ensures that sensitive data related to Payment Card Industry security standards cannot be tampered with or modified by unauthorized users.
Troubleshooting Steps:
- 1.
Identify the affected S3 buckets: Review the list of S3 buckets in your AWS account to determine which buckets allow public write access.
- 2.
Review bucket policies and ACLs: Examine the bucket policies and access control lists (ACLs) associated with the identified buckets to evaluate whether they allow public write access.
- 3.
Investigate access logs: Enable access logging for the S3 buckets and examine the logs to identify any unauthorized write attempts from the public.
- 4.
Identify the source of public access: Determine the source IP addresses or IAM users/roles responsible for granting public write access.
- 5.
Implement access restrictions: Apply appropriate access controls, such as bucket policies or IAM policies, to revoke public write access for the identified buckets.
Necessary Codes:
No specific codes are required for this rule as it is about configuring bucket policies and access controls.
Step-by-Step Guide for Remediation:
To remediate the S3 buckets allowing public write access, follow these steps:
- 1.
Identify the affected S3 buckets: Use the AWS Management Console, AWS CLI, or AWS SDKs to list all S3 buckets in your AWS account.
- 2.
Review bucket policies and ACLs: Go through each bucket's settings and check their bucket policies and access control lists (ACLs) to identify any existing public write permissions.
- 3.
Disable public write access: Update the bucket policy or ACL to remove the public write access. Modify the existing policy or create a new policy that explicitly denies public write access.
For example, in the bucket policy, ensure that the policy denies write access to the "Group" or "AllUsers" entity:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicWrite", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucket-name/*" } ] }Alternatively, you can update the bucket's ACL to remove permissions for the "Everyone" group or specific IAM users/roles allowing public write access.
- 4.
Verify the changes: Double-check the updated bucket policy or ACL to ensure that public write access has been successfully removed.
- 5.
Monitor and log access: Enable access logging for the S3 buckets and regularly review the access logs for any suspicious activity or unauthorized write attempts.
- 6.
Continuously assess bucket configurations: Regularly audit the S3 bucket policies and ACLs to ensure ongoing compliance with the rule.
By following these steps, you can ensure that S3 buckets within your AWS environment prohibit public write access, thereby meeting the requirements for PCI v3 compliance.