Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Severity : Critical

Description: This control ensures that S3 buckets access control list does not allow unrestricted public to read or write access. Exposing S3 buckets to everyone or any authenticated AWS users can lead to data leaks, data loss and unexpected charges for the S3 service. S3 buckets can be configured to allow anyone

...

to write objects to a bucket or delete objects.

...

It is recommended this option should not be configured unless there is a strong business requirement.

...

Disable global all users policies on all S3 buckets and ensure both the bucket ACL is configured with least privileges to ensure that you are not accidentally making objects available to users that you don't intend.

Remediation Steps:

Perform following to update S3 bucket access policy :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to s3 console.

  3. In the navigation pane,  select buckets.

  4. Click on the bucket to be modified, click Permissions.

  5. In the permissions pane, navigate to Access control list (ACL) section.

  6. Click on the Edit.

  7. On the Access control list (ACL) page, in section Everyone (public access), uncheck permission granted to List and Read. If AWS users group, AllUsers, have permission selected, uncheck the boxes.

  8. Click Save Changes.

Important:

Reference: