S3 bucket should not have world-readable permissions from anonymous users

Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.34
Covered by Spectral: No
Category: Storage

GSL LOGIC

S3Bucket should not have acl.grants contain [uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' and (premission = 'FULL_CONTROL' or premission = 'READ_ACP')]

REMEDIATION

The S3 Block Public Access feature provides settings for access points, buckets, and accounts to help manage public access to Amazon S3 resources. By default, new buckets, access points, and objects don t allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access. To remediate an existing Bucket Policy to non-public access, follow these steps:

  1. Sign in to your S3 bucket console - https://s3.console.aws.amazon.com/
  2. Click on the bucket you want to remediate the bucket policy
  3. On the Bucket dashboard, click on Permissions tab
  4. In the Permissions tab, click on the Bucket Policy button
  5. Ensure that the Principal and Resource elements along with Action(such as s3: ), in the policy do not have an (values that contain a wildcard). If the bucket policy contains access to all Resource elements and Principal elements, you can make these policies non-public by including any of the condition keys, such as ; aws:SourceArn
    aws:SourceVpc
    aws:SourceVpce
    aws:SourceOwner
    aws:SourceAccount
    s3:x-amz-server-side-encryption-aws-kms-key-id
    aws:userid, outside the pattern 'AROLEID:*'
    s3:DataAccessPointArn, using a fixed value.
    Please refer to - https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html to create a new Bucket Policy.
    Similarly, make sure that the S3 bucket access control lists (ACLs) that provide read, write, or full-access to Everyone or Any authenticated AWS user does not exist. For more information, please refer - https://docs.aws.amazon.com/AmazonS3/latest/dev/S3_ACLs_UsingACLs.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS Risk Management
  • AWS Security Risk Management