aws_compliance

AWS Compliance

This control checks that the access granted by the S3 bucket is restricted by any of the principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is compliant if a bucket policy is not present.

s3_bucket_policy_restrict_public_access

gxp_21_cfr_part_11_11_10_d

11.10(d) Limiting system access to authorized individuals

gxp_21_cfr_part_11_11_10_g

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

hipaa_security_rule_2003_164_308_a_1_ii_b

164.308(a)(1)(ii)(B) Risk management

hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b

hipaa_security_rule_2003_164_308_a_3_i

164.308(a)(3)(i) Workforce security

hipaa_final_omnibus_security_rule_2013_164_308_a_3_i

hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a

164.308(a)(3)(ii)(A) Authorization and/or supervision

hipaa_security_rule_2003_164_308_a_3_ii_b

164.308(a)(3)(ii)(B) Workforce clearance procedure

hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b

hipaa_final_omnibus_security_rule_2013_164_308_a_4_i

164.308(a)(4)(i) Information access management

hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b

164.308(a)(4)(ii)(B) Access authorization

hipaa_security_rule_2003_164_308_a_4_ii_b

hipaa_security_rule_2003_164_308_a_4_ii_c

164.308(a)(4)(ii)(C) Access establishment and modification

hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c

hipaa_security_rule_2003_164_312_a_1

164.312(a)(1) Access control

hipaa_final_omnibus_security_rule_2013_164_312_a_1

nist_800_171_rev_2_3_1_1

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

nist_800_171_rev_2_3_1_2

3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute

nist_800_171_rev_2_3_1_20

3.1.20 Verify and control/limit connections to and use of external systems

nist_800_171_rev_2_3_1_4

3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion

nist_800_171_rev_2_3_1_5

3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts

nist_800_171_rev_2_3_1_7

3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs

nist_800_171_rev_2_3_13_5

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

cis_controls_v8_ig1_3_3

3.3 Configure Data Access Control Lists

nist_800_171_rev_2_3_3_8

3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion

soc_2_cc_6_1

CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives

soc_2_cc_6_2

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

soc_2_cc_6_3

CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives

soc_2_cc_6_6

CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries

nist_csf_pr_ac_1

PR.AC-1

nist_csf_pr_ac_3

PR.AC-3

nist_csf_pr_ac_4

PR.AC-4

nist_csf_pr_pt_3

PR.PT-3

all_controls_s3

S3 bucket policy should prohibit public access

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Powerpipe and Steampipe.

Apache License 2.0

steampipe-mod-aws-compliance

Control: S3 bucket policy should prohibit public access

Description

Usage

SQL

Tags