Profile Applicability:

Level 1

Description:

AWS Lightsail allows users to create storage buckets, which may contain sensitive data. It's essential to ensure that these buckets are not publicly accessible, preventing unauthorized access to data stored in Lightsail buckets. Ensuring the correct access control settings can help maintain the security of the data and prevent potential data breaches.

Rationale:

Preventing public access to Lightsail buckets ensures that:

  • Sensitive data stored in buckets is not exposed to unauthorized parties.

  • Data privacy and security are maintained by enforcing proper access controls.

  • Compliance with industry regulations and internal security policies is achieved.

Default Value:

By default, Lightsail buckets may be publicly accessible if the appropriate access control settings are not configured. It is important to manually verify and enforce restrictive access policies.

Impact:

  • Pros:

    • Improved security by ensuring that sensitive data is not publicly exposed.

    • Enhanced compliance with data protection regulations and internal security policies.

  • Cons:

    • Incorrect configurations may lead to service disruptions or unintentional access restrictions.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail under Storage.

  3. Go to Buckets and select the bucket you want to configure.

  4. Click on the Permissions tab and verify the bucket’s access control settings.

  5. Ensure that Public Access is disabled. If it’s enabled, modify the access control settings to restrict public access.

  6. Save the changes and confirm that the bucket is no longer publicly accessible.

Using AWS CLI:

  1. Run the following command to check the access control settings of the Lightsail bucket:

    aws lightsail get-bucket-access --bucket-name <bucket-name>

  2. If the bucket is publicly accessible, run the following command to restrict public access:

    aws lightsail update-bucket-access --bucket-name <bucket-name> --access-type Restricted

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail and select Buckets under Storage.

  3. Review the access control settings of the bucket.

  4. Disable Public Access by configuring the appropriate settings in the Permissions tab.

  5. Confirm that the bucket is no longer publicly accessible.

Using AWS CLI:

  1. Check the bucket’s current access settings using the following command:

    aws lightsail get-bucket-access --bucket-name <bucket-name>

  2. If the bucket is accessible publicly, restrict access by running the following command:

    aws lightsail update-bucket-access --bucket-name <bucket-name> --access-type Restricted

Backout Plan:

Using AWS Console:

  1. If the bucket is accidentally restricted, log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail and select Buckets under Storage.

  3. Select the affected bucket and review the Permissions tab.

  4. If necessary, re-enable public access (though this is not recommended for sensitive data).

Using AWS CLI:

  1. If the bucket was mistakenly restricted, run the following command to modify access:

    aws lightsail update-bucket-access --bucket-name <bucket-name> --access-type Public

References:

CIS Controls:

Version

Control ID

Control Description

v8

3.4

Ensure that Lightsail buckets are not publicly accessible to prevent unauthorized data access.

v7

14.2

Implement access controls to protect data stored in Lightsail buckets from being exposed publicly.