Description:
Lightsail provides object storage called a bucket that is used to store your data. You can add objects to your bucket by uploading files using the Lighsail console or by configuring your application to put content like logs or other application data in the bucket.
Rational:
If the bucket or object is public, anyone in the world can read its content.
Impact:
When the bucket is private only users with appropriate permissions have access to the bucket and objects.
Default value:
Lightsail buckets and objects are set to private by default.
Audit:
Sign in to AWS Management console
Go to the Lightsail service at https://lightsail.aws.amazon.com/
Select the storage tab and choose the bucket and click on it to examine
Go to the permissions tab and check it’s access permissions
If you notice the access is public, follow the I implementation steps.
Remediation:
Pre-requisites:
Sign in as admin or IAM user with required permissions
Implementation Steps:
Sign into AWS Management console
Go to the Lightsail service at https://lightsail.aws.amazon.com/
Select the storage tab and choose the bucket and click on it to modify
Go to the permissions tab and click on Change permissions
Select All objects are private so, objects are readable only by you or anyone you give access to
Click on save
Via CLI:
update-bucket
--bucket-name <value>
[--access-rules <value>]
[--readonly-access-accounts <value>]
Backout plan:
To revoke the changes made follow the implementation steps and choose the option required at step 5 and click on save.
Reference: