S3 bucket should not be world-writable from anonymous users

Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion

Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.30
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket should not have acl.grants contain [uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' and (premission = 'FULL_CONTROL' or premission = 'WRITE')]

REMEDIATION

From Portal:

  1. Go to Amazon S3 console
  2. Select the desired S3 bucket you want to change.
  3. Select the Permissions tab, and then go to Bucket Policy.
  4. Remove policies for s3:Put *actions for principals*. If necessary, modify the policy instead, to limit the access to specific principals.
    Then, select Access Control List, and remove any grants to Write objects to Public (everyone) users.

From TF:

resource "aws_s3_bucket" "test" {
	bucket = "mybucket"
	grant {
		type        = "Group"
		+   permissions = [...] // not "WRITE" or "FULL_CONTROL" or "READ_ACP"
		uri         = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
	}
}

From Command Line:

  1. Get and put a bucket policy. The following example shows how to download an Amazon S3 bucket policy, make modifications to the file, and then use put-bucket-policy to apply the modified bucket policy. Run following command to download the bucket policy to a file.
aws s3api get-bucket-policy --bucket BUCKET_NAME --query Policy --output text > policy.json
  1. You can then modify the policy.json file as needed. Finally you can apply this modified policy back to the S3 bucket by running:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy POLICY.JSON

Note: Use action as s3:Put *and Effect:Deny for user principals*. Follow reference links for more details on json policy.

References:

  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
  2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html
  3. https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html
  4. https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
  5. https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS Risk Management
  • AWS Security Risk Management