Profile Applicability:

  • Level 1

Description:
Amazon S3 bucket policies are used to control access to S3 buckets and their objects. It is essential to configure general-purpose S3 bucket policies to restrict access to only the specific AWS accounts that need it, and prevent unauthorized access from other AWS accounts. This can be done by explicitly defining allowed AWS account IDs or IAM roles within the policy. Restricting access in this manner ensures that only authorized users or services have access to the data, enhancing security and compliance.

Rationale:
Restricting access to specific AWS accounts ensures that only authorized users can access or modify data in S3 buckets. A general-purpose bucket policy that allows access to any AWS account increases the risk of unauthorized access to sensitive data. By explicitly specifying the AWS accounts that are allowed access, you reduce the risk of data breaches, maintain compliance with industry regulations (such as GDPR, HIPAA, and SOC 2), and follow best security practices.

Impact:
 Pros:

  • Restricts access to only trusted AWS accounts, reducing the risk of unauthorized access.

  • Ensures compliance with data security and privacy regulations by controlling access to sensitive data.

  • Improves data security and integrity by limiting access to only authorized accounts.

Cons:

  • May require additional configuration if multiple accounts need access, potentially leading to complex policies.

  • Can cause operational disruption if the correct permissions are not set for legitimate users or services.

Default Value:
By default, S3 buckets do not have any bucket policies that allow access to other AWS accounts unless explicitly configured.

Pre-requisites:

  • AWS IAM permissions to manage S3 bucket policies:
     s3:PutBucketPolicy
     s3:GetBucketPolicy

  • Access to the S3 bucket configuration to review or modify the bucket policy.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 and select Buckets from the left-hand menu.

  3. Select the S3 bucket for which you want to review the policy.

  4. Under the Permissions tab, review the Bucket Policy section.

  5. Ensure that the bucket policy restricts access to only the specified AWS accounts or IAM roles. The policy should explicitly allow access to specific AWS account IDs or IAM roles, and deny access to other accounts.

  6. If the policy allows access to any AWS account (Principal: "*") or does not restrict access to specific accounts, edit the policy to restrict access.

Using AWS CLI:

  1. List all S3 buckets:

    aws s3api list-buckets --query "Buckets[*].Name"

  2. For each bucket, check the current Bucket Policy:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

  3. Review the policy to ensure that only specific AWS accounts or IAM roles are allowed access and no wildcard permissions (e.g., Principal: "*") are granted for access. Example of a restrictive policy:

    {

  "Version": "2012-10-17",
  "Statement": [

    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
    }
  ]
}

  1. If the policy is not restrictive, modify it to explicitly deny access to all accounts except the specified ones by running:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://restrict_access_policy.json


  1. Verify that the bucket policy has been updated:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

Implementation Plan:

Using AWS Console:

  1. Open the S3 Console and select the desired bucket.

  2. Under the Permissions tab, navigate to Bucket Policy and click Edit.

  3. Update the policy to restrict access to specific AWS accounts or IAM roles, and ensure no access is granted to the public or unauthorized accounts.

  4. Save the updated policy and verify that it is correctly applied.

Using AWS CLI:

  1. To restrict access to only a specific AWS account or IAM role, update the bucket policy using the following command:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://restrict_access_policy.json

  2. Verify the policy:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

Backout Plan:

Using AWS Console:

  1. If the policy causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon S3, select the bucket, and go to the Permissions tab.

  3. Revert the Bucket Policy to a less restrictive version, ensuring that access is re-enabled for the intended AWS accounts or services.

  4. Save the changes and monitor the bucket to ensure it functions as expected.

Using AWS CLI:

  1. To revert the Bucket Policy, run:

    aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
    }
  ]
}'

  1. Verify the reverted Bucket Policy:

    aws s3api get-bucket-policy --bucket <BUCKET_NAME>

Reference:

CIS Controls:

Version

Control ID

Control Description

7.1

3.1

Ensure that S3 bucket policies are configured to restrict access to specific, authorized AWS accounts.

7.1

8.1

Restrict S3 bucket access to specific AWS accounts to prevent unauthorized access to sensitive data.