Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.42
Covered by Spectral: Yes
S3Bucket where acl.grants contain [canonicalUser isEmpty() and type='Group'] should have acl.grants contain [ uri ='http://acs.amazonaws.com/groups/s3/LogDelivery']
Follow the below steps to change ACL Permissions:
- Go to Amazon S3 console
- Select the desired S3 bucket you want to change.
- Select the Permissions tab, then go to Access Control List and click edit.
- Go to Everyone and uncheck List, Read and Write bucket permissions. Do the same for authenticated users group as well and click Save.
Note: We need to follow the step 4 for all required grantee's.
From Command Line
- Use following command to make an S3 bucket not publicly accessible.
aws s3api put-bucket-acl --bucket BUCKET_NAME --acl private
- Use following command to modify public access config for S3 bucket
aws s3api put-public-access-block --bucket fugue-bucket-example --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ï¿½ï¿½ï¿½ web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 4.0
Updated 3 months ago