Profile Applicability:

  • Level 2

Description:

Access points provide a simplified way to manage access to Amazon S3 buckets for shared access from multiple services or applications. Proper IAM policies should be configured for these access points to ensure that only authorized users or applications can access sensitive data. Ensuring access points are created and IAM policies are correctly configured is crucial for security, scalability, and efficient management of S3 resources.

Rationale:

Ensuring that access points and IAM policies are properly configured provides:

  • Fine-grained access control to S3 resources via access points

  • Secure, easily manageable access for different applications or services

  • Proper enforcement of least privilege by assigning IAM policies to access points

  • Compliance with security best practices, especially when using shared access scenarios

Default Value:

Access points are not created by default for S3 buckets. IAM policies for access points must be manually configured to ensure secure access.

Impact:

Pros:
 • Allows easier management of access to S3 buckets for different services or applications
• Provides more secure access control via IAM policies linked to access points
 • Helps enforce compliance with organizational access and security standards

Cons:
 • Requires proper setup of IAM policies and careful management of permissions
• Misconfigured policies could lead to unauthorized access or deny legitimate access
 • Additional setup complexity when managing multiple access points across large environments

Pre-requisites:

IAM Permissions Required:
 s3:CreateAccessPoints3:DeleteAccessPointiam:PutRolePolicyiam:AttachRolePolicy
 Permissions to create and manage IAM roles, policies, and S3 access points

Remediation:

Test Plan:

Using AWS Console:

  1.  Log in to the AWS Management Console
  2. Navigate to S3 > Access Points
  3. Review the list of access points configured for your S3 buckets
  4. For each access point, check that the associated IAM policies are properly attached and enforce least privilege
  5. Test the access point by accessing the S3 bucket through the access point and verify that only authorized users or applications can access the data

Using AWS CLI:

aws s3control list-access-points \
  --account-id <account-id>
aws iam list-attached-role-policies \
  --role-name <role-name>
aws s3control get-access-point-policy \
  --account-id <account-id> \
  --name <access-point-name>

Implementation Plan:

Using AWS Console:

  1. Navigate to S3 > Access Points and click Create Access Point
  2. Select the S3 bucket to associate with the access point
  3. Assign the appropriate VPCIP address ranges, and other configuration settings for the access point
  4. Attach the correct IAM policies to the access point to ensure only authorized access is allowed
  5. Monitor the created access point to ensure it is used correctly and securely by applications or services

Using AWS CLI:
 Step 1: Create the access point

aws s3control create-access-point \
  --account-id <account-id> \
  --name <access-point-name> \
  --bucket <bucket-name> \
  --vpc-configuration VpcId=<vpc-id>

Step 2: Attach an IAM policy to the access point

aws iam attach-role-policy \
  --role-name <role-name> \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

Step 3: Get the access point policy

aws s3control get-access-point-policy \
  --account-id <account-id> \
  --name <access-point-name>

Step 4: Test access through the access point

aws s3 cp s3://<access-point-name>/file.txt ./file.txt

Backout Plan:

Using AWS Console:

  1.  If the access point is misconfigured, delete or modify the access point configuration
  2. Revert any IAM policy changes to ensure the correct access permissions are set for the access point
  3. Delete the access point if it is no longer needed

Using AWS CLI:
 To delete the access point:

aws s3control delete-access-point \
  --account-id <account-id> \
  --name <access-point-name>

To detach the IAM policy:

aws iam detach-role-policy \
  --role-name <role-name> \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess


References: