iCompaas Support

Profile Applicability:

•  Level 2

Description:

Ensuring the ability to directly add data to Amazon S3 buckets is critical for data backup, migration, log aggregation, and integration with other AWS services. This control verifies that users, systems, or applications have the correct permissions and configuration to upload data directly into S3 buckets, either manually or programmatically.

Rationale:

Allowing direct data addition to S3 ensures:

• Applications and services can store logs, backups, and processed data efficiently
  

• Automated pipelines or agents can perform data uploads seamlessly
  

• Third-party integrations and analytics tools can write directly to cloud storage
  

• Data repositories remain up-to-date for downstream processing
  

Default Value:

S3 buckets do not allow public or unauthorized uploads by default. IAM roles, bucket policies, or access points must be configured explicitly.

Impact:

Pros:
 • Enables applications, services, and users to write data to S3 without intermediate layers
• Simplifies integration and automation for data pipelines
 • Supports centralized storage and processing of structured or unstructured data

Cons:
 • Misconfigured permissions may lead to unauthorized uploads or data overwrite
• Requires proper access control to avoid data sprawl
 • Might increase costs if data is added in large volumes or high frequency

Pre-requisites:

IAM Permissions Required:
 s3:PutObject, s3:PutObjectAcl, s3:GetBucketPolicy, s3:ListBucket
 Bucket-level access policy or role delegation must be in place

Remediation:

Test Plan:

Using AWS Console:

1.  Log in to the AWS Management Console
2. Navigate to S3 > Buckets
3. Select the target bucket
4.  Under the Permissions tab, review:

• Bucket policy
  

• Access control list (ACL)
  

• Block public access settings
   • Test uploading an object via the Upload button on the Objects tab
  • Validate successful upload and that object metadata is properly stored
  

Using AWS CLI:

aws s3 cp testfile.txt s3://<bucket-name>/testfile.txt
aws s3api list-objects \
  --bucket <bucket-name>
aws s3api get-bucket-acl \
  --bucket <bucket-name>

Implementation Plan:

Using AWS Console:

1. Go to S3 > Buckets and select the bucket
2. Under Permissions, review and modify the bucket policy to allow direct uploads
3.  Assign required IAM roles or users with s3:PutObject permission
4.  Enable or restrict access via access points or IAM conditions if needed
5.  Use the Upload button to test and confirm direct object addition

Using AWS CLI:
 Example policy to allow a specific IAM role to upload:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role/S3UploadRole"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*"
    }
  ]
}

Apply this policy using:

aws s3api put-bucket-policy \
  --bucket <bucket-name> \
  --policy file://bucket-policy.json

Test direct upload:

aws s3 cp data.json s3://<bucket-name>/uploads/data.json

Backout Plan:

Using AWS Console:

1. Remove or edit the IAM roles, bucket policies, or access points
2.  Use Block Public Access settings to disable anonymous uploads
3. Revoke permissions or delete access entries no longer needed

Using AWS CLI:

aws s3api delete-bucket-policy \
  --bucket <bucket-name>
aws iam detach-user-policy \
  --user-name <user> \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

References:

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html
• https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
• https://docs.aws.amazon.com/cli/latest/reference/s3/