S3 Buckets Should Not Allow Public READ Access

​

More Info:

AWS S3 buckets should not allow public READ access in order to protect against unauthorized access.

​

Risk Level

Medium

​

Address

Security

​

Compliance Standards

HIPAA, PCIDSS, NIST, SOC2, AWSWAF

​

Remediation

​

Using Console

Sure, I can help you with that. Here are the step by step instructions to remediate the issue “S3 Buckets Should Not Allow Public READ Access” in AWS:

1. Log in to the AWS Management Console.
2. Go to the S3 service.
3. Select the bucket that has public READ access.
4. Click on the Permissions tab.
5. Under the Public access settings, click on Edit.
6. Uncheck the box that says “List objects” and “View object permissions” for “Everyone”, “Authenticated users” and “Log delivery group”.
7. Click on Save changes.

After following these steps, your S3 bucket will no longer allow public READ access.

​

Using CLI

To remediate the misconfiguration of S3 buckets allowing public READ access in AWS using AWS CLI, you can follow the below steps:

1. Open the AWS CLI on your local machine and run the following command to list all the S3 buckets in your AWS account:

   aws s3api list-buckets
   

2. Identify the S3 bucket(s) that have public READ access.

3. Run the following command to remove public READ access from the identified S3 bucket(s):

   aws s3api put-bucket-acl --bucket <bucket-name> --acl private
   

   Replace <bucket-name> with the name of the identified S3 bucket.

4. Verify that public READ access has been removed from the S3 bucket(s) by running the following command:

   aws s3api get-bucket-acl --bucket <bucket-name>
   

   Replace <bucket-name> with the name of the identified S3 bucket.

5. Repeat steps 3 and 4 for all the S3 buckets that have public READ access.

6. Once all the S3 buckets have been remediated, ensure that you have a process in place to regularly monitor your S3 buckets for public READ access and remediate any misconfigurations promptly.

​

Using Python

To remediate the issue of S3 Buckets allowing public READ access in AWS using python, follow these steps:

1. Install the AWS SDK for Python (boto3) using pip:

pip install boto3

2. Create an AWS S3 client using boto3:

import boto3

s3 = boto3.client('s3')

3. List all S3 buckets in your AWS account using the list_buckets() method:

response = s3.list_buckets()

for bucket in response['Buckets']:
    print(f'Bucket Name: {bucket["Name"]}')

4. For each S3 bucket, check if it has any public READ access by using the get_bucket_acl() method:

response = s3.get_bucket_acl(Bucket='bucket-name')

for grant in response['Grants']:
    if 'URI' in grant['Grantee'] and grant['Permission'] == 'READ':
        print('Public READ access found')

5. If public READ access is found, remove it by using the put_bucket_acl() method:

response = s3.put_bucket_acl(
    Bucket='bucket-name',
    ACL='private'
)

print('Public READ access removed')

6. Repeat steps 4-5 for all S3 buckets in your AWS account.

By following these steps, you can remediate the issue of S3 Buckets allowing public READ access in AWS using python.

​

Additional Reading:

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html