S3 Bucket All Users Policy

Quick Info

Plugin TitleS3 Bucket All Users Policy
DescriptionEnsures S3 bucket policies do not allow global write, delete, or read permissions
More InfoS3 buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts.
AWS Link
Recommended ActionRemove wildcard principals from the bucket policy statements.

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for S3.
  3. Scroll down the left navigation panel and choose “Buckets”.
  4. Select the “Bucket” that needs to be verified and click on its identifier(name) from the “Bucket name” column.
  5. Click on the “Permissions” tab on the top menu.
  6. Check the “Bucket Policy” option under “Properties” abd check the “Effect” and “Principal” value.If the “Effect” element value is set to “Allow” and the “Principal” element value is set to everyone ( * ) then the selected S3 bucket is publicly accessible.
  7. Repeat steps number 2 - 6 to verify other S3 buckets in the region.
  8. Select the publicly accessible S3 bucket that needs to configure and click on the “Permissions” tab and click on the “Bucket Policy” option.
  9. In the “Bucket Policy” option either remove the public accessibility by deleting the policy for the selected S3 bucket. Click on the “Delete” option at the top and click on “Delete” button on the “Delete Bucket Policy” tab.
  10. In order to limit the public accessibility replace the Principal element current value with the Amazon Resource Name (ARN) ( e.g. { “AWS”: “arn:aws:iam::102604298007:role/aws-elasticbeanstalk-ec2-role” } ) of the AWS account that should have access to the selected S3 bucket.
  11. Click on the save button at the top to make the necessary changes.
  12. Repeat steps number 8 - 11 to remove wildcard principals for other S3 buckets.