Profile Applicability:
- Level 2
Description:
Amazon S3 Access Control Lists (ACLs) are a mechanism to control access to S3 buckets and objects at the individual object level. ACLs grant or deny permissions to specific AWS accounts or groups, enabling fine-grained access control. Ensuring that ACLs are enabled allows you to manage who has access to the S3 bucket and its objects. It is important to configure ACLs properly to prevent unauthorized access while ensuring that legitimate users or services can access the required data.
Rationale:
Enabling and configuring S3 ACLs is critical for managing access control, especially for shared datasets or public data. Misconfigured ACLs can result in unwanted public access to sensitive data, potentially violating security or compliance standards. Enabling and correctly managing ACLs ensures that only authorized users or services have access to the S3 bucket and its objects, thus protecting your data from unauthorized modifications or leaks.
Impact:
Pros:
Provides a flexible, fine-grained access control mechanism for managing access to S3 objects and buckets.
Helps comply with security policies and regulations by restricting access to authorized users.
Allows for control over access at both the bucket and object level.
Cons:
Misconfigured ACLs can expose data to unauthorized users, leading to security vulnerabilities.
Managing ACLs can be complex, especially when multiple users or applications need specific permissions.
May require ongoing monitoring and updates to ensure that ACLs remain in compliance with security policies.
Default Value:
By default, ACLs are enabled for all S3 buckets, but by default, the permissions allow only the owner of the bucket to access the objects. However, ACLs can be modified to grant additional permissions to other users or groups.
Pre-requisites:
AWS IAM permissions to manage S3 bucket ACLs:
s3:PutBucketAcl
s3:GetBucketAclAccess to the S3 bucket configuration to review or modify ACL settings.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to S3 and select Buckets from the left-hand menu.
Select the S3 bucket you want to check.
Under the Permissions tab, review the Access Control List (ACL) section.
Ensure that the ACL is properly configured, providing the appropriate permissions to the necessary AWS accounts, groups, or other users.
If ACLs are not configured or need adjustment, click Edit to modify the ACL settings.
Using AWS CLI:
List all S3 buckets:
aws s3api list-buckets --query "Buckets[*].Name"
For each bucket, check if an ACL is enabled and review the current ACL settings:
aws s3api get-bucket-acl --bucket <BUCKET_NAME>
Review the ACL permissions in the output to ensure that they are configured as expected.
If ACLs are not enabled or need modification, you can set or update the ACL by using the following command:
aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private
Replace private with the appropriate ACL configuration (e.g., public-read, authenticated-read, or a custom configuration).
Implementation Plan:
Using AWS Console:
Open the S3 Console and select the desired bucket.
Under the Permissions tab, locate the Access Control List (ACL) section.
Edit the ACL to grant or deny access as needed to specific AWS accounts, groups, or users.
Save the changes to apply the updated ACL configuration.
Using AWS CLI:
To enable or modify an ACL, run the following command (example with private ACL):
aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private
You can replace private with the desired ACL setting (e.g., public-read, authenticated-read, or a custom ACL).
aws s3api get-bucket-acl --bucket <BUCKET_NAME>
Verify the changes by checking the ACL again:
Backout Plan:
Using AWS Console:
If changes to the ACL cause issues, sign in to the AWS Management Console.
Navigate to Amazon S3, select the bucket, and go to the Permissions tab.
Revert the ACL settings to the previous configuration if needed.
Save the changes and monitor the bucket to ensure it functions correctly.
Using AWS CLI:
To revert ACL settings to their previous configuration, run:
aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private
Verify that the settings have been reverted:
aws s3api get-bucket-acl --bucket <BUCKET_NAME>
Reference:
CIS Controls: