Profile Applicability:

  • Level 2

Description:
Amazon S3 (Simple Storage Service) is a scalable storage solution for storing data in the cloud. S3 bucket permissions allow users to control who can access and list the objects in the bucket. If an S3 bucket is configured to allow public listing of its contents, it can expose sensitive data to anyone on the internet or any AWS customer, which can result in data leaks, compliance violations, and security risks. It is crucial to ensure that S3 buckets are not listable by Everyone or Any AWS customer.

Rationale:
 Allowing anyone (including unauthorized AWS customers) to list the contents of an S3 bucket poses a significant security risk. This can lead to the unintentional exposure of sensitive data, intellectual property, or personal information. By preventing public listing of S3 buckets, you safeguard your data from being easily discovered or accessed by unauthorized parties. This helps in compliance with data privacy regulations such as GDPR, HIPAA, and SOC 2.

Impact:
 Pros:

  • Prevents unauthorized users or AWS customers from viewing the contents of S3 buckets.

  • Reduces the risk of data exposure or misuse.

  • Enhances security and privacy by restricting public listing permissions.

  • Helps maintain compliance with industry standards and security best practices.

Cons:

  • Requires regular auditing of S3 bucket permissions.

  • Might cause issues if public access is needed for specific objects or buckets.

Default Value:
By default, new S3 buckets are not listable by the public or any AWS customer. However, bucket policies or IAM permissions may allow public listing, which should be reviewed and restricted.

Pre-requisites:

  • AWS IAM permissions:
         s3:ListBucket
     s3:GetBucketAcl

  • Access to the S3 bucket configurations for reviewing permissions and access control lists (ACLs).

  • Ability to modify bucket policies to restrict access.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. For each bucket, click on the bucket name to open its configuration.

  4. Under the Permissions tab, review the Bucket Policy and Access Control List (ACL).

  5. Ensure that there are no statements in the Bucket Policy allowing public access to list objects (s3:ListBucket) or objects to be read by Everyone or Any AWS customer.

  6. Review the Bucket ACL to ensure that the Everyone and Any AWS customer permissions are restricted.

  7. If public listing is enabled, modify the Bucket Policy or ACL to ensure that only authorized users or accounts have access to list the bucket's contents.

  8. For stricter access control, use IAM policies to restrict permissions at the user or role level.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check the bucket’s permissions:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

  3. Check if any policy allows Everyone (Principal: "*") or Any AWS Customer (Principal: "AWS") to list the bucket.

  4. To check the bucket’s ACL, run:

    aws s3api get-bucket-acl --bucket <BUCKET_NAME>

  5. Ensure that Everyone does not have READ or LIST permissions.

  6. If public listing is enabled, disable it by updating the Bucket Policy or ACL:

  7. To modify the Bucket Policy to deny public listing, use the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::<BUCKET_NAME>"
    }
  ]
}

  1. Update the bucket policy:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://policy.json

  2. To modify the Bucket ACL to remove Everyone or Any AWS customer access, run:

    aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and review each bucket’s permissions under the Permissions tab.

  2. Ensure that the Bucket Policy does not allow public listing and remove any Everyone or Any AWS customer access.

  3. If public access is found, modify the policy to restrict access.

  4. Use the ACL settings to ensure only authorized users or services can access the bucket.

Using AWS CLI:

  1. For each bucket, check the current Bucket Policy and ACL.

  2. Update the Bucket Policy to restrict public listing permissions.

  3. Use the put-bucket-acl command to modify the ACL and remove public access:

    aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private

  4. Verify that public listing is disabled by checking the permissions again.

Backout Plan:

Using AWS Console:

  1. If modifications cause issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Permissions tab.

  3. Revert the Bucket Policy and ACL to the previous settings before restrictions were applied.

  4. Save the changes and monitor the bucket to ensure it is functioning as expected.

Using AWS CLI:

  1. If you need to revert changes, restore the Bucket Policy and ACL to the previous settings:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://previous-policy.json
aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that S3 bucket permissions are configured to prevent public listing of contents and unauthorized access.

7.1

8.1

Restrict access to S3 buckets to only authorized users and networks, ensuring that the bucket is not listable by the public or any AWS customer.