Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.30
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket should not have acl.grants contain [uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' and (premission = 'FULL_CONTROL' or premission = 'WRITE')]

REMEDIATION

From Portal:

Go to Amazon S3 console
Select the desired S3 bucket you want to change.
Select the Permissions tab, and then go to Bucket Policy.
Remove policies for s3:Put *actions for principals*. If necessary, modify the policy instead, to limit the access to specific principals.
Then, select Access Control List, and remove any grants to Write objects to Public (everyone) users.

From TF:

resource "aws_s3_bucket" "test" {
	bucket = "mybucket"
	grant {
		type        = "Group"
		+   permissions = [...] // not "WRITE" or "FULL_CONTROL" or "READ_ACP"
		uri         = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
	}
}

From Command Line:

Get and put a bucket policy. The following example shows how to download an Amazon S3 bucket policy, make modifications to the file, and then use put-bucket-policy to apply the modified bucket policy. Run following command to download the bucket policy to a file.

aws s3api get-bucket-policy --bucket BUCKET_NAME --query Policy --output text > policy.json

You can then modify the policy.json file as needed. Finally you can apply this modified policy back to the S3 bucket by running:

aws s3api put-bucket-policy --bucket BUCKET_NAME --policy POLICY.JSON

Note: Use action as s3:Put *and Effect:Deny for user principals*. Follow reference links for more details on json policy.

References:

https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

AWS CCPA Framework
AWS CloudGuard Best Practices
AWS CloudGuard S3 Bucket Security
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS ISO 27001:2013
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS Risk Management
AWS Security Risk Management