🛡️ AWS S3 Bucket Policy allows public read or write access🟢

Contextual name: 🛡️ Bucket Policy allows public read or write access🟢
ID: /ce/ca/aws/s3/bucket-public-policy
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS S3 Bucket
- 🔌 AWS S3 Bucket - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [S3.2] S3 general purpose buckets should block public read access
AWS Security Hub: [S3.3] S3 general purpose buckets should block public write access

Description

Description

This policy identifies AWS S3 Buckets whose bucket policies grant public read or write access.

A bucket policy is considered public if it contains a statement with "Effect": "Allow" and a "Principal" set to "*" or {"AWS": "*"}. The evaluation focuses on permissions that allow reading (s3:GetObject, s3:GetObjectVersion, s3:ListBucket), writing (s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion, s3:PutObjectAcl, s3:PutBucketAcl, s3:PutBucketPolicy), or any broader permissions that implicitly include these actions (e.g., "*", s3:*, or s3:Delete*).

Rationale

Publicly accessible bucket policies pose significant security risks. Granting s3:GetObject to a public principal allows anyone on the internet to read objects stored in the bucket, potentially resulting in data exposure. Similarly, granting write-related permissions, such as s3:PutObject or s3:DeleteObject, allows unauthorized users to upload, modify, or delete objects, jeopardizing data integrity and availability.

... see more

Remediation

Open File

Remediation

Disable Public Access for S3 Bucket Policies

Enable S3 Block Public Access

Enabling Block Public Access provides a centralized and comprehensive safeguard against unintended public exposure of S3 bucket data. These settings take precedence over any existing ACLs or bucket policies that may otherwise permit public access.

From Command Line

Use the following command to enable Block Public Access on the bucket:
aws s3api put-public-access-block \
    --bucket {{bucket-name}} \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Update the Bucket Policy

To further restrict public access, review and update the bucket policy to replace broad public access ("Principal": "*") with specific principals as needed.
Retrieve the current bucket policy and save it locally:
aws s3api get-bucket-policy \
    --bucket {{bucket-name}} \
    --query Policy \
    --output text > policy.json
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.2] S3 general purpose buckets should block public read access			2	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.3] S3 general purpose buckets should block public write access			2	no data
💼 AWS Well-Architected → 💼 SEC08-BP04 Enforce access control			7	no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			106	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	72	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	89	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	52	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	61	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			12	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	64	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			12	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			35	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			12	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			28	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			72	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			40	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			72	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		73	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			52	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		61	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			12	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		53	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			12	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			35	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			150	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			149	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			76	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			120	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			164	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			140	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			156	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			103	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	44	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			18	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	99	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	52	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	54	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	66	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			35	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			18	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			28	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			29	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			28	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	60	no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	24	no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			24	no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			11	no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			24	no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			11	no data
💼 PCI DSS v3.2.1 → 💼 7.2.1 Coverage of all system components.			10	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			60	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			60	no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			24	no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			11	no data
💼 PCI DSS v4.0.1 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			10	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	60	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			60	no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	24	no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			11	no data
💼 PCI DSS v4.0 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			10	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Remediation​

Remediation​

Disable Public Access for S3 Bucket Policies​

Enable S3 Block Public Access​

From Command Line​

Update the Bucket Policy​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Remediation

Remediation

Disable Public Access for S3 Bucket Policies

Enable S3 Block Public Access

From Command Line

Update the Bucket Policy

policy.yaml

Linked Framework Sections