Skip to main content

lacework-global-807

S3 general purpose buckets should block public read access (Automated)

Description

This policy checks whether S3 buckets allow public read access. It evaluates the block public access settings, the bucket policy, and the bucket Access Control List (ACL). The policy fails if an Amazon S3 bucket permits public read access.

Some use cases may require that everyone on the internet be able to read from an S3 bucket. However, those situations are rare. To ensure the integrity and security of data, S3 buckets should not be publicly readable.

Remediation

Using the Console:

Block Public Access:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, select the non-compliant bucket.
  3. Navigate to Permissions.
  4. Select Edit to change the public access settings for the bucket. For more information about the four Amazon S3 Block Public Access Settings, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-options.
  5. Select RestrictPublicBuckets as the setting to change, and then choose Save.
  6. When asked for confirmation, enter confirm and click Confirm to save the changes.

Bucket Policy:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, select the bucket to update.
  3. Navigate to Permissions.
  4. Navigate to Bucket Policy and select Edit.
  5. Check for any Statement with Effect set to 'Allow', Principal set to '' or 'AWS':'', and no conditions.
  6. To disable access, remove the Statement.
  7. To limit access to a specific AWS account or Identity and Access Management (IAM) user, replace the unrestricted Principal element with the Amazon Resource Name (ARN) of the AWS account or user.
  8. Select Save changes.

Bucket Access Control List:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, select the bucket to update.
  3. Navigate to Permissions.
  4. Navigate to Access Control List and select Edit.
  5. Against Everyone (public access), clear 'List' under Objects. This disables public access. You can use more secure alternatives such as allowing authenticated access from anyone within your AWS accounts, by instead enabling 'List' on the 'Bucket Owner (your AWS account)' option.
  6. Select Save changes.

Using the CLI:

To enable all Block Public Access settings on the bucket:

aws s3api put-public-access-block --bucket <bucket_name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

References

https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-options

Last updated on