Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
Amazon S3 provides Block public access (bucket settings)
and Block public access (account settings)
to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings)
prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings)
prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.
Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.NET.72
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
S3Bucket should have (accessPublicBlock.blockPublicAcls=true or accountAccessPublicBlock.blockPublicAcls=true) and (accessPublicBlock.ignorePublicAcls=true or accountAccessPublicBlock.ignorePublicAcls=true) and (accessPublicBlock.blockPublicPolicy=true or accountAccessPublicBlock.blockPublicPolicy=true) and (accessPublicBlock.restrictPublicBuckets=true or accountAccessPublicBlock.restrictPublicBuckets=true)
REMEDIATION
From Console
- Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
- Select the Check box next to the Bucket
- Click on 'Edit public access settings'
- Click 'Block all public access'
- Repeat for all the buckets in your AWS account that contain sensitive data
From TF
To enable block public access bucket setting, add following in a terraform file:
resource "aws_s3_bucket_public_access_block" "public_access_block_example" {
bucket = BUCKET-NAME
block_public_acls = true
block_public_policy = true
restrict_public_buckets = true
ignore_public_acls = true
}
From Command Line
To set Block Public Access configurations, run:
aws s3api put-public-access-block --bucket BUCKET_NAME --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
References
- https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html#console-block-public-access-options
- https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-bucket.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_account_public_access_block
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-public-access-block.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated about 1 year ago