Description:
This policy ensures that all S3 Glacier vaults have policies that allow everyone to access them. This is a security risk, as it allows anyone to read, write, and delete data in your vaults.
Rationale:
Allowing everyone to access your S3 Glacier vaults is a security risk. This is because anyone could potentially read, write, or delete data in your vaults. This could lead to data breaches, financial losses, and reputational damage.
Impact:
If you allow everyone to access your S3 Glacier vaults, you could experience the following impacts:
- Data breaches: Anyone could potentially read, write, or delete data in your vaults. This could lead to the exposure of sensitive data, such as financial information or customer records.
- Financial losses: Data breaches can lead to financial losses. For example, you may have to pay for credit monitoring for your customers, or you may have to pay for legal fees to investigate the breach.
- Reputational damage: Data breaches can damage your reputation. If your customers find out that their data has been exposed, they may lose trust in your company. This could lead to a loss of customers and revenue.
Default Value:
AWS will initially recommend that you do not allow everyone to access your S3 Glacier vaults.
Pre-Requisite:
- You must have access to the AWS Management Console or the AWS CLI.
- You must know the region where the S3 Glacier vaults are located.
Remediation Steps:
- Identify all of the S3 Glacier vaults that have policies that allow everyone to access them.
- Update the policies of the S3 Glacier vaults to restrict access to only authorized users.
Test Plan:
- Verify that the policies of the S3 Glacier vaults have been updated to restrict access to only authorized users.
- Try to access the S3 Glacier vaults from an unauthorized user account. You should not be able to access the vaults.
Implementation Plan:
- Use the AWS Management Console to update the policies of the S3 Glacier vaults.
- Use the AWS CLI to update the policies of the S3 Glacier vaults.
AWS CLI Process:
aws glacier describe-vaults --vault-names <vault-name> aws glacier set-vault-access-policy --vault-name <vault-name> --policy <policy>
Using AWS GUI:
- Go to the AWS Management Console.
- Click on the "S3 Glacier" tab.
- Select the S3 Glacier vaults that have policies that allow everyone to access them.
- Click on the "Edit" button.
- In the "Policy" section, enter a policy that restricts access to only authorized users.
- Click on the "Save" button.
Backout Plan:
- Identify the S3 Glacier vaults that you updated the policies of.
- Restore the original policies of the S3 Glacier vaults.
Note:
- This policy does not apply to S3 Glacier vaults that are in use by applications or services.
- This policy does not apply to S3 Glacier vaults that are used for archival purposes.
Reference:
https://docs.aws.amazon.com/amazonglacier/latest/dev/vault-access-policy.html