S3 buckets should not grant any external privileges via ACL

ACLs have been largely deprecated by bucket policies.

Suggest Edits

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.42
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket where acl.grants contain [canonicalUser isEmpty() and type='Group'] should have acl.grants contain [ uri ='http://acs.amazonaws.com/groups/s3/LogDelivery']

REMEDIATION

From Portal
Follow the below steps to change ACL Permissions:

  1. Go to Amazon S3 console
  2. Select the desired S3 bucket you want to change.
  3. Select the Permissions tab, then go to Access Control List and click edit.
  4. Go to Everyone and uncheck List, Read and Write bucket permissions. Do the same for authenticated users group as well and click Save.

Note: We need to follow the step 4 for all required grantee's.

From Command Line

  1. Use following command to make an S3 bucket not publicly accessible.
aws s3api put-bucket-acl  --bucket BUCKET_NAME --acl private
  1. Use following command to modify public access config for S3 bucket
aws s3api put-public-access-block --bucket fugue-bucket-example --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true

References

  1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html
  2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 4.0

Updated 7 months ago