Description:
This policy ensures that all S3 buckets have Access Control Lists (ACLs) enabled. This helps to control who has access to the objects in your S3 buckets.
Rationale:
ACLs allow you to specify who has read, write, and/or delete permissions to the objects in your S3 buckets. This can help to protect your data from unauthorized access.
Impact:
If you do not enable ACLs on your S3 buckets, anyone who has the bucket's URL will be able to access the objects in the bucket. This could lead to data breaches or unauthorized access to your sensitive data.
Default Value:
By default, S3 buckets are created with ACLs disabled. You must explicitly enable ACLs for each bucket.
Pre-requisites:
- You must have an AWS account and be an IAM user with the appropriate permissions to enable ACLs on S3 buckets.
Remediation Steps:
- Enable ACLs for each S3 bucket.
- Verify that the ACLs are enabled by checking the S3 console or the AWS CLI.
Test Plan:
- Identify a subset of S3 buckets that do not have ACLs enabled.
- Enable ACLs for the selected S3 buckets.
- Verify that the ACLs are enabled by checking the S3 console or the AWS CLI.
Implementation Plan:
AWS CLI:
aws s3api put-bucket-acl --bucket <bucket-name> --acl <acl-string>
AWS GUI:
- Go to the S3 console.
- Click the name of the bucket that you want to enable ACLs for.
- Click Permissions.
- Select the Bucket ACL tab.
- Click Edit.
- In the ACL section, select the Enable checkbox.
- Click Save.
Backout Plan:
- Disable ACLs for each S3 bucket.
- Verify that the ACLs are disabled by checking the S3 console or the AWS CLI.
Note:
- This policy applies to all regions and accounts.
- You can use the AWS CLI or the AWS SDKs to automate the process of enabling and disabling ACLs on S3 buckets.
Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html