Ensure that the S3 bucket is not publicly writable
Amazon S3 supports a set of predefined grants, known as canned ACLs. Each canned ACL has a predefined set of grantees and permissions. S3 buckets should not be publicly writable unless it is required.
Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.CFT.IAM.10
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
AWS_S3_Bucket should not have AccessControl='PublicReadWrite'
REMEDIATION
From CFT
Set AWS::S3::Bucket AccessControl
property to one of Private, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead
Or remove the AccessControl
from the AWS::S3::Bucket resource.
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-accesscontrol
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago