Back to All Checks
Critical S3

S3 general purpose buckets should block public read access

PCI DSSNISTISO 27001HIPAA

Description

Checks if S3 buckets block public read access through both ACLs and bucket policies, including policies that allow 's3:GetObject' or overly permissive actions ('Action: *') to 'Principal: *' or 'Principal: AWS: *'.

Remediation

To block public read access for S3 buckets, follow these steps:

Steps

  1. Sign in to the AWS Management Console and open the Amazon S3 console.
  2. Choose the name of the bucket to modify.
  3. Select the 'Permissions' tab.
  4. In 'Block Public Access' settings, enable 'Block public access to buckets and objects granted through new/any ACLs'.
  5. Review the 'Access Control List (ACL)' section to ensure no public 'READ' permissions are granted.
  6. Review the bucket policy to ensure it does not allow 's3:GetObject' or any overly permissive actions (such as 'Action: *' with 'Principal: *' or 'Principal: AWS: *').
  7. For specific read permissions, use IAM roles and policies to allow secure access.

Compliance

PCI DSSNISTISO 27001HIPAA
Start Your Free Security Check