Control: 3.9 Ensure that your Lightsail buckets are not publicly accessible
Description
You can make all objects private, public (read-only) or private while making individual objects public (read-only). By default when creating a bucket the permissions are set to "All objects are private".
When the Bucket access permissions are set to All objects are public (read-only) – All objects in the bucket are readable by anyone on the internet through the URL of the bucket.
Remediation
From the Console:
- Login to AWS Console using https://console.aws.amazon.com.
- Click
All services, clickLightsailunder Compute. - This will open up the Lightsail console.
- Select
Storage. - All Lightsail buckets are listed here.
- Click on the bucket name that has
All objects are public (read-Only)listed. - Click on
Permissions. - Click on
Change permissions. - Select
All objects are private. - Click
Save. - Repeat for any other Buckets within Lightsail that are set with
All objects are public (read-Only)and/orIndividual objects can be made public and read only.
From the Command Line:
- Run
aws lightsail update-bucket
aws lightsail update-bucket --bucket-name <name from list in audit> --access-rules getObject="private",allowPublicOverrides=false
- The confirmation that the change was made will print out after running that command.
- Repeat for any other buckets listed in the audit.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_3_9Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_3_9 --shareSQL
This control uses a named query:
manual_control