Profile Applicability:

  • Level 1


Description:

This control ensures that Amazon Simple Storage Service (S3) buckets do not allow public access or permissions to all AWS users. Buckets with public read or write access expose sensitive data to unauthorized entities and significantly increase the risk of data leakage, deletion, or modification. Ensuring that S3 buckets are private by default helps maintain strict data confidentiality and integrity.


Rationale:

Publicly accessible S3 buckets are a common cause of large-scale data breaches. Data stored in such buckets can be viewed, downloaded, or overwritten by anyone on the internet or any AWS account. Enforcing private access and reviewing access control lists (ACLs) and bucket policies regularly prevents accidental data exposure and supports compliance with security standards such as CIS, SOC 2, ISO 27001, GDPR, and HIPAA.


Impact:

  • Positive Impact:Prevents unauthorized access to sensitive or regulated data.Strengthens the overall data security posture.Ensures compliance with global data protection frameworks.
  • Negative Impact:Legitimate public resources (e.g., public datasets, static websites) may require exceptions with documented business justifications.


Default Value:

By default, newly created S3 buckets block all public access unless the bucket owner explicitly modifies the permissions or disables the “Block Public Access” settings.


Pre-Requisite:

  • IAM permissions required: s3:GetBucketAcl, s3:GetBucketPolicyStatus, s3:GetBucketPublicAccessBlock, s3:PutBucketPolicy, and s3:PutBucketAcl.

  • Familiarity with existing S3 use cases (to identify buckets that are intentionally public).


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon S3 → Buckets.

  3. Review the Access column in the bucket list.

    • Buckets marked as Public or Objects can be public are potentially non-compliant.

  4. Click on a bucket name → Permissions tab.

  5. Check the following:

    • Block public access (bucket settings) section: Ensure all options are Enabled.

      • Block all public access

      • Block public access to buckets and objects granted through new ACLs

      • Block public access to buckets and objects granted through any ACLs

      • Block public access to buckets and objects granted through new public bucket policies

    • Access Control List (ACL): Ensure no permissions are granted to “Everyone (public access)” or “Any AWS account.”

    • Bucket Policy: Review the JSON policy for statements that include "Principal": "*" combined with "Effect": "Allow". Such policies make the bucket public.

  6. If any of the above configurations allow public access, the bucket is non-compliant.


Implementation Plan 

Using AWS Console:

  1. Navigate to Amazon S3 → Buckets.

  2. Select the non-compliant bucket.

  3. Go to the Permissions tab.

  4. In the Block public access (bucket settings) section, click Edit.

  5. Enable all four “Block Public Access” settings and click Save changes.

  6. In the Access Control List (ACL) section:

    • Remove “Everyone (public access)” or “Any AWS account” from granted permissions.

  7. In the Bucket policy section:

    • Edit the policy to remove or restrict any "Principal": "*" statements that allow public access.

    • Example secure bucket policy:

  8. Save changes and validate by rechecking the bucket access in the S3 console.


Backout Plan:

Using AWS Console:

  1. If legitimate users or applications lose access due to tightened permissions, temporarily modify the bucket policy to include their IAM roles or AWS accounts explicitly.

  2. Document the exception and limit its duration to the shortest possible timeframe.

  3. Re-enable strict permissions once alternative secure access mechanisms (e.g., presigned URLs, CloudFront, or IAM roles) are configured.



References: