Control: AWS > PCI v3.2.1 > S3 > 2 S3 buckets should prohibit public read access

This control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

Unless you explicitly require everyone on the internet to be able to write to your S3 bucket, you should ensure that your S3 bucket is not publicly writable.

It does not check for read access to the bucket by internal principals, such as IAM roles. You should ensure that access to the bucket is restricted to authorized principals only.

Remediation

1. Open the Amazon S3 console. 2. Choose the name of the bucket identified in the finding. 3. Choose Permissions and then choose Public access settings. 4. Choose Edit, select all four options, and then choose Save. 5. If prompted, enter confirm and then choose Confirm.

PCI requirement(s): 1.2.1, 1.3.1, 1.3.2, 1.3.6, 7.2.1

Resource Types

This control targets the following resource types:

AWS > S3 > Bucket

Policies

This control type relies on these other policies when running actions:

AWS > PCI v3.2.1

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketRestrictPublicReadAccess

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketRestrictPublicReadAccess") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketRestrictPublicReadAccess'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketRestrictPublicReadAccess"