Security Hub - AWS Foundational Security Best Practices - S3.2 S3 buckets should prohibit public read access

Question

We have some public read S3 buckets for hosting static web content.

In security hub they are being flagged as a 'CRITICAL' failure titled "S3 buckets should prohibit public read access".

The remediation documentation (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-2-remediation) suggests the only way to fix is it is to remove public access, but they also say - "Some use cases require that everyone on the internet be able to read from your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly readable."

We have a few buckets in the 'rare' situation (I doubt its that rare), how can we fix the security hub failing while still being able to use some S3 buckets to host web content?

Or is this just not possible and the only fix is to put a proxy between S3 and the web & make the bucket private? which seems like a lot of unnecessary effort.

Answer 1

You can always disable a control within an enabled standard.

you can use console, aws cli, or security Hub Api

according to docs

To disable a control (console)

• In the Security Hub navigation pane, choose Security standards.
• For the standard that you want to disable a control for, choose View results.
• If you are an administrator account, choose Enabled for this account. Other accounts can enable controls from any tab other than the Disabled tab. Do one of the following:
• In the control list, choose the control to disable. Then choose Disable. Choose the control title. Then on the control details page, choose Disable.
• Enter a reason why you are disabling the control. This can help others in your organization understand why the control is disabled. Choose Disable.