Guides
  1. aws policies
  2. Simple Storage Service (S3)

Ensure that S3 bucket ACLs don't allow 'FULL_CONTROL' access for anonymous / AWS authenticated users

Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.100
Covered by Spectral: No
Category: Storage

GSL LOGIC

S3Bucket should not have acl.grants contain [ (uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' or uri = 'http://acs.amazonaws.com/groups/global/AllUsers') and premission = 'FULL_CONTROL']

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
  3. Choose Permissions.
  4. Under ACL, choose Edit and modify the ACL configuration for the S3 bucket.
  5. On the Edit ACL page, Under Objects uncheck the relevant permission box.
    Check the box which say "I understand the effects of these changes on my objects and buckets".
  6. Choose Save changes, which returns you to the Bucket Permissions page.

From TF
Remove the relevant ACL policy block:

resource "aws_s3_bucket_acl" "example_s3_bucket_acl" {
	..
	access_control_policy {
		grant {
			grantee {
				uri  = ACL-URI
				type = "Group"
			}
			permission = "FULL_CONTROL"
			..
		}

From Command Line
To deny the ACLs permissions for everyone, run:

aws s3api put-bucket-acl --bucket BUCKET-NAME --acl private

References

  1. https://aws.amazon.com/premiumsupport/knowledge-center/s3-public-access-acl/
  2. https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/s3api/put-bucket-acl.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset

Updated 7 months ago