Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.37
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket should not have policy.Statement with [Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition isEmpty() and (Action contain [$ regexMatch /^s3:Get/] or Action regexMatch /^s3:Get/) ]

REMEDIATION

From Portal:

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
Choose Permissions.
Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
On the Edit bucket policy page, explore Policy examples in the Amazon S3 User Guide, choose Policy generator to generate a policy automatically, or edit the JSON in the Policy section.
Here Remove policies for s3:Get actions for principals''. If necessary, modify the policy instead, to limit the access to specific principals.
In the Policy box, edit the existing policy or paste the bucket policy from the Policy generator. Make sure to resolve security warnings, errors, general warnings, and suggestions before you save your policy.
Choose Save changes, which returns you to the Bucket Permissions page.

From TF:
Add a policy document with required permissions and appropriate condition as needed as follows:

data "aws_iam_policy_document" "example" {
	...
	statement {
		effect = "Allow"
		
		actions = [
		REQUIRED_ACTIONS
		]
		principals {
			REQUIRED_PRINCIPALS
		}
		
		resources = [
		"S3_BUCKET_ARN",
		]
		
		condition {
			test     = TEST
			variable = CONTEXT_VARIABLE
			
			values = [
			VALUES
			]
		}
	}
	...
}

From Command Line:
To add a policy with required permissions and appropriate condition as needed, run:

aws s3api put-bucket-policy --bucket BUCKET-NAME --policy file://policy.json

References:

https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
https://registry.terraform.io/providers/hashicorp/aws/3.3.0/docs/data-sources/iam_policy_document
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

AWS CCPA Framework
AWS CloudGuard Best Practices
AWS CloudGuard S3 Bucket Security
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS ISO 27001:2013
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS Risk Management
AWS Security Risk Management