Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.08
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should not have ( acl.grants contain [uri like 'http://acs.amazonaws.com/groups/global/%'] or policy.Statement with [Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition isEmpty()])

REMEDIATION

From Portal
Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:

Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
Click on the bucket used to store CloudTrail logs and select Permissions tab.
Ensure block public access is enabled for that bucket.
Then go to Access Control list, it shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
Select the row that grants permission to Everyone or Any Authenticated User
Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).
Click Save to save the ACL.
If the Edit bucket policy button is present, click it.
Remove any Statement having an Effect set to Allow and a Principal set to '*' or {'AWS' : '*'}.

From TF
Add a policy document with required permissions and appropriate condition as needed as follows:

data "aws_iam_policy_document" "example" {
	...
	statement {
		effect = "Allow"
		
		actions = [
		REQUIRED_ACTIONS
		]
		principals {
			REQUIRED_PRINCIPALS
		}
		
		resources = [
		"S3_BUCKET_ARN",
		]
		
		condition {
			test     = TEST
			variable = CONTEXT_VARIABLE
			
			values = [
			VALUES
			]
		}
	}
	...
}

From Command Line
To add a policy with required permissions and appropriate condition as needed, run:

aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://policy.json

References

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere - web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks

AWS CCPA Framework
AWS CIS Controls V 8
AWS CIS Foundations v. 1.0.0
AWS CIS Foundations v. 1.1.0
AWS CIS Foundations v. 1.2.0
AWS CIS Foundations v. 1.3.0
AWS CIS Foundations v. 1.4.0
AWS CIS Foundations v. 1.5.0
AWS CIS Foundations v. 2.0.0
AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard S3 Bucket Security
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS GDPR Readiness
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset