Aqua CSPM

S3 Bucket All Users ACL

Quick Info

Plugin TitleS3 Bucket All Users ACL
CloudAWS
CategoryS3
DescriptionEnsures S3 buckets do not allow global write, delete, or read ACL permissions
More InfoS3 buckets can be configured to allow anyone, regardless of whether they are an AWS user or not, to write objects to a bucket or delete objects. This option should not be configured unless there is a strong business requirement.
AWS Linkhttp://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html
Recommended ActionDisable global all users policies on all S3 buckets and ensure both the bucket ACL is configured with least privileges.

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for S3.
  3. Scroll down the left navigation panel and choose “Buckets”.
  4. Select the “Bucket” that needs to be verified and click on its identifier(name) from the “Bucket name” column.
  5. Click on the “Permissions” tab on the top menu.
  6. Check the “Acess Control List” option under “Permissions” and scroll down the configuration page and check the “Public access”. If “Read bucket permissions” , “Write objects” , “List objects” and “Write bucket permissions” are set to “Yes” then the selected S3 bucket allows global write, delete, or read ACL permissions.
  7. Repeat steps number 2 - 6 to verify other S3 buckets in the region.
  8. Select the “S3 bucket” on which global access needs to be disabled and click on the “Permissions” tab.
  9. Scroll down the “Acess Control List” configuration page and under “Public access” click on the “Everyone” and uncheck the checkboxes against “Read bucket permissions” , “Write objects” , “List objects” and “Write bucket permissions”.
  10. Click on the “Save” button to make the necessary changes.
  11. Repeat steps number 8 - 10 to diable global write, delete, or read ACL permissions in other S3 buckets.