Description:
Amazon Simple Storage Service (Amazon S3) is an object storage service, it stores and protects any amount of data. It is similar to file folders, store objects, which consist of data and its descriptive metadata.
The policies use bucket and example bucket strings in the resource value. To test these policies, replace these strings with your bucket name. You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy by using the Amazon S3 console, through several third-party tools, or via your application.
Rationale:
An S3 bucket that allows WRITE (UPLOAD/DELETE) access to everyone (i.e. anonymous users) can provide attackers the capability to add, delete and replace objects within the bucket, which can lead to S3 data loss or unintended charges on your AWS bill.
Impact:
It protects the S3 data from unauthorized users. If you allow WRITE (Upload/Delete) access to everyone (i.e. anonymous users) then you give the privilege to add, delete and replace objects within the bucket, you can lose your data from S3 buckets or unintended charge on your AWS bill.
Default Value:
By default, all Amazon S3 buckets and objects are private. Only the resource owner which is the AWS account that created the bucket can access that bucket.
Pre-Requisite:
Sign in as admin or IAM user with required permissions
Remediation:
Test Plan:
Step 1: Log in to the AWS Management Console and go to the S3 dashboard at https://console.aws.amazon.com/s3/.
Step 2: Click on Buckets in the left navigation pane
Step 3: Click on the bucket that you want to audit and go to the permission tab
Step 4: Scroll down and check the Block public access (bucket settings) part whether it is On or Off
From the above pic, we see Block all public access is off which means it grants everyone to upload or delete objects (write )
Step 5: Scroll down and go to Access Control List (ACL) and check Everyone(public access) has given Write access or not
Implementation Step:
Step 1: Log in to the AWS Management Console and go to the S3 dashboard at https://console.aws.amazon.com/s3/.
Step 2: Click on Buckets in the left navigation pane
Step 3: Click on the bucket that you want to audit and go to the permission tab
Step 4: In block, public access (bucket settings) click on the Edit button
Step 5: Check Block all public access checkBox and click on save changes
Step 6: Type confirm and click on Confirm button
Step 7: If you want to set the Bucket policy then scroll down and go to Bucket Policy
(In JSON you can set your Bucket policy ) for the bucket, policy click on the Edit button
If you want to generate some policy click on Policy Generator after generating the policy copy the text and past in bucket policy JSON and click on save
Step 8: Scroll down and go to the Access control list (ACL) and make sure Write access is not given to Everyone(public access)
Backout Plan:
To Provide write access to everyone that means to make bucket public follow the implementation steps and in step 5 uncheck Block public access (bucket settings) checkBox.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html