Description:

Amazon Simple Storage Service (Amazon S3) is an object storage service, it stores and protects any amount of data. It is similar to file folders, store objects, which consist of data and its descriptive metadata.

The policies use bucket and example bucket strings in the resource value. To test these policies, replace these strings with your bucket name. You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy by using the Amazon S3 console, through several third-party tools, or via your application.


Rationale:

An S3 bucket that allows WRITE (UPLOAD/DELETE) access to everyone (i.e. anonymous users) can provide attackers the capability to add, delete and replace objects within the bucket, which can lead to S3 data loss or unintended charges on your AWS bill.


Impact:

It protects the S3 data from unauthorized users. If you allow WRITE (Upload/Delete) access to everyone (i.e. anonymous users) then you give the privilege to add, delete and replace objects within the bucket, you can lose your data from S3 buckets or unintended charge on your AWS bill.


Default Value:

By default, all Amazon S3 buckets and objects are private. Only the resource owner which is the AWS account that created the bucket can access that bucket.


Audit:

Step 1: Log in to the AWS Management Console and go to the S3 dashboard at https://console.aws.amazon.com/s3/.

Step 2:  Click on Buckets in the left navigation pane

Step 3: Click on the bucket that you want to audit and go to the permission tab 

Step 4: Scroll down and check Block public access (bucket settings) part whether it is On or Off

From the above pic, we see Block all public access is off it means it grants  everyone to upload or delete objects (write ) 

Step 5: Scroll down and go to Access Control List (ACL) and check Everyone(public access) has given Write access or not


Remediation:

Pre-Requisite:

  • Sign in as admin or IAM user with required permissions


Implementation Step:

Step 1: Log in to the AWS Management Console and go to the S3 dashboard at https://console.aws.amazon.com/s3/.

Step 2: Click on Buckets in the left navigation pane

Step 3: Click on the bucket that you want to audit and go to the permission tab

Step 4: In block, public access (bucket settings) click on the Edit button

Step 5: Check Block all public access checkBox and click on save changes

Step 6: Type confirm and click on Confirm button

Step 7: If you want to set the Bucket policy then scroll down and go to Bucket Policy

(In JSON you can set your own Bucket policy ) for the bucket, policy click on the Edit button

If you want to generate some policy click on  Policy Generator after generating the policy copy the text and past in bucket policy JSON and click on save


Step 8: Scroll down and go to the Access control list (ACL) and make sure Write access is not given to Everyone(public access)


Backout Plan:  

To Provide write access to everyone that mean to make bucket public follow the implementation steps and in step 5 uncheck Block public access (bucket settings) checkBox.


References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html