Description:

Lightsail provides object storage called a bucket that is used to store your data. You can add objects to your bucket by uploading files using the Lighsail console or by configuring your application to put content like logs or other application data in the bucket.


Rational:

If the bucket or object is public, anyone in the world can read its content.


Impact:

When the bucket is private only users with appropriate permissions have access to the bucket and objects.


Default value:

Lightsail buckets and objects are set to private by default.


Audit:

  1. Sign in to AWS Management console

  2. Go to the Lightsail service at https://lightsail.aws.amazon.com/

  3. Select the storage tab and choose the bucket and click on it to examine

  4. Go to the permissions tab and check it’s access permissions

    If you notice the access is public, follow the I implementation steps.


Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions


Implementation Steps:

  1. Sign into AWS Management console

  2. Go to the Lightsail service at https://lightsail.aws.amazon.com/

  3. Select the storage tab and choose the bucket and click on it to modify

  4. Go to the permissions tab and click on Change permissions

  5. Select All objects are private so, objects are readable only by you or anyone you give access to

  6. Click on save 


Via CLI:

 update-bucket
--bucket-name <value>
[--access-rules <value>]
[--readonly-access-accounts <value>]


Backout plan:

To revoke the changes made follow the implementation steps and choose the option required at step 5 and click on save.


Reference:

https://aws.amazon.com/lightsail/

update-bucket — AWS CLI 1.20.54 Command Reference