Profile Applicability:

  • Level 1

Description:
Amazon S3 allows users to configure Access Control Lists (ACLs) and bucket policies to control who can access and modify objects stored within S3 buckets. It is essential to ensure that no S3 buckets are writable by Everyone or Any AWS customer. Allowing write access to S3 buckets by the public or other AWS customers can expose sensitive data to unauthorized modification or deletion. To prevent potential misuse, buckets should only be writable by specific, authorized accounts or services.

Rationale:
Allowing write access to Everyone or Any AWS customer creates a significant security risk, as it can lead to unauthorized modifications or deletions of objects stored in the S3 bucket. Enforcing stricter access controls ensures that only authorized users or applications can modify the contents of the bucket. By disabling write permissions for the public, you can safeguard your data and maintain compliance with security best practices and regulations such as GDPR, HIPAA, and SOC 2.

Impact:
 Pros:

  • Prevents unauthorized modifications or deletions of S3 data.

  • Ensures sensitive data is not exposed to the public or unauthorized AWS accounts.

  • Helps comply with security and regulatory requirements by ensuring that S3 data is protected.

  • Reduces the risk of accidental data loss or tampering.

Cons:

  • May require extra configuration if legitimate users need to have write access, particularly for shared datasets or public-facing applications.

  • Requires careful management of IAM policies and S3 bucket policies to ensure only authorized users can write to the bucket.

Default Value:
By default, new S3 buckets are not writable by Everyone or Any AWS customer. However, misconfigured ACLs or bucket policies can grant write access to the public.

Pre-requisites:

  • AWS IAM permissions to manage S3 bucket ACLs and policies:
     s3:PutBucketPolicy
     s3:GetBucketPolicy
     s3:PutBucketAcl
     s3:GetBucketAcl

  • Access to the S3 bucket configuration to review and modify ACLs or policies.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket you want to review.

  4. Under the Permissions tab, review the Bucket Policy and Access Control List (ACL) sections.

  5. In the Bucket Policy, ensure that there are no statements that grant write permissions (s3:PutObject, s3:DeleteObject) to Everyone (Principal: "*") or Any AWS customer (Principal: "AWS").

  6. In the ACL section, ensure that Everyone does not have WRITE or WRITE_ACP permissions.

  7. If write permissions are found, modify the Bucket Policy and ACL to restrict write access to only authorized users or services.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check the Bucket Policy for any statements that allow write access to Everyone or Any AWS customer:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

  3.  Look for any "Principal": "*" or "Principal": "AWS" entries under s3:PutObject or s3:DeleteObject actions.

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

  4. Check the Bucket ACL for public write permissions:

    aws s3api get-bucket-acl --bucket <BUCKET_NAME>

  5.  Ensure Everyone does not have WRITE or WRITE_ACP permissions.

  6. If public write permissions are found, modify the Bucket Policy or ACL:

  7. To remove public write access in the Bucket Policy, use:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://no_public_write_policy.json

  8. To remove public write access in the Bucket ACL, use:

    aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private

  9. Verify the updated policy and ACL configuration:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>
aws s3api get-bucket-acl --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select the bucket you want to configure.

  2. Under the Permissions tab, review and modify the Bucket Policy and ACL to ensure no public write access is allowed.

  3. Save the changes and verify that public write access has been successfully restricted.

Using AWS CLI:

  1. To deny write access by everyone, update the Bucket Policy:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://no_public_write_policy.json

  2. If the ACL needs to be updated, run:

    aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl private

Backout Plan:

Using AWS Console:

  1. If blocking public write access causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Permissions tab.

  3. Revert the ACL settings to the previous configuration or re-enable the necessary public write access.

  4. Save the changes and monitor the bucket to ensure it functions as expected.

Using AWS CLI:

  1. To revert the ACL to allow public access again, run:

    aws s3api put-bucket-acl --bucket <BUCKET_NAME> --acl public-read-write

  2. To modify the bucket policy and allow public write access again, run:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy '{
  "Version": "2012-10-17",
  "Statement": [

    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Principal": "*",
      "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
    }
  ]
}'


Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure that no S3 buckets are writable by Everyone or Any AWS customer to prevent unauthorized access and modification of data.

7.1

8.1

Review and manage the permissions for S3 buckets to ensure they are not accessible for write operations by unauthorized users or public entities.