Ensure that S3 Bucket policy doesn't allow actions from all principals without a condition
Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion. S3 bucket policy should ensure that the principle of least privilege is being followed. A condition statement can be used to control the scope of the policy.
Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.40
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
S3Bucket should not have policy.Statement with [Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition isEmpty()]
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
- In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
- Choose Permissions.
- Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
- In the Policy box, edit the existing policy.
- Choose Save changes, which returns you to the Bucket Permissions page.
From TF
Add a policy document with required permissions and appropriate condition as needed as follows:
data "aws_iam_policy_document" "example" {
...
statement {
effect = "Allow"
actions = [
REQUIRED_ACTIONS
]
principals {
REQUIRED_PRINCIPALS
}
resources = [
"S3_BUCKET_ARN",
]
condition {
test = TEST
variable = CONTEXT_VARIABLE
values = [
VALUES
]
}
}
...
}
From Command Line
To add a policy with required permissions and appropriate condition as needed, run:
aws s3api put-bucket-policy --bucket BUCKET-NAME --policy file://policy.json
References
- https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
- https://registry.terraform.io/providers/hashicorp/aws/3.3.0/docs/data-sources/iam_policy_document
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
- https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CCPA Framework
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago