Profile Applicability:

Level 1

Description:

AWS Lightsail allows users to create buckets for storage purposes. It's essential to use AWS IAM policies to manage and control access to these buckets. By using IAM policies, you can ensure that only authorized users or services have access to the buckets, providing an additional layer of security to protect sensitive data stored in Lightsail.

Rationale:

Managing access to Lightsail buckets using IAM policies ensures that:

  • Only authorized users and services can access the buckets, preventing unauthorized data access.

  • Access permissions can be controlled granularly, ensuring users only have the permissions they need.

  • The security of sensitive data is enhanced by preventing unintended access or modifications.

Default Value:

By default, Lightsail buckets do not have any IAM policies restricting access. Access is based on the permissions of the user or service accessing the bucket, which may not be secure for sensitive data.

Impact:

  • Pros:

    • Improved security by restricting access to sensitive data stored in Lightsail buckets.

    • Granular access control, allowing you to specify exactly who can access the buckets and what actions they can perform.

    • Better compliance with security best practices and regulatory standards.

  • Cons:

    • Misconfigured IAM policies could lead to improper access controls, either too permissive or too restrictive.

    • Requires careful management of IAM policies to ensure they are correctly applied across all buckets.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to the IAM section under Security, Identity & Compliance.

  3. Go to Policies to review existing IAM policies.

  4. Ensure that appropriate IAM policies are attached to the users or roles that need access to Lightsail buckets.

  5. If no policies are in place, create a new IAM policy that restricts access to the Lightsail buckets by specifying appropriate actions (e.g., s3:GetObjects3:PutObject) and resources (i.e., the specific Lightsail buckets).

  6. Attach the policy to the appropriate user, group, or role.

Using AWS CLI:

  1. Run the following command to list existing IAM policies:

    aws iam list-policies

  1. Review the policies to ensure that access to Lightsail buckets is controlled via IAM policies.

  2. If a policy needs to be created, use the following command to create a new IAM policy with the appropriate permissions for Lightsail bucket access:

    aws iam create-policy --policy-name LightsailBucketAccessPolicy --policy-document file://policy.json

  3. (Ensure that policy.json contains the necessary permissions for managing Lightsail bucket access.)

  4. Attach the policy to the necessary user, group, or role using the following command:

    aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/LightsailBucketAccessPolicy

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to the IAM section under Security, Identity & Compliance.

  3. Review existing policies under Policies and ensure they restrict access to the Lightsail buckets.

  4. If no policy exists, create a policy with the necessary permissions.

  5. Attach the policy to users, groups, or roles as required to manage access to Lightsail buckets.

Using AWS CLI:

  1. Create the IAM policy using the following command:

    aws iam create-policy --policy-name LightsailBucketAccessPolicy --policy-document file://policy.json

  2. Attach the newly created policy to the required users, groups, or roles:

    aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/LightsailBucketAccessPolicy

Backout Plan:

Using AWS Console:

  1. If incorrect policies are applied, log in to the AWS Console at AWS Console.

  2. Navigate to IAM and go to Policies.

  3. Detach the incorrect policy from the affected users, groups, or roles.

  4. Attach the correct policy to the appropriate entities.

Using AWS CLI:

  1. If an incorrect policy is applied, run the following command to detach it:

    aws iam detach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/LightsailBucketAccessPolicy

  2. Attach the correct policy:

    aws iam attach-user-policy --user-name <username> --policy-arn arn:aws:iam::aws:policy/CorrectPolicyArn

References:

CIS Controls:

Version

Control ID

Control Description

v8

3.4

Configure IAM policies to manage access to AWS resources, such as Lightsail buckets, ensuring that only authorized users or services can access the resources.

v7

14.2

Ensure access controls are enforced using IAM policies, protecting data stored in services such as Lightsail buckets from unauthorized access.