S3 bucket should not be world-listable from anonymous users
Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion
Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.IAM.28
Category: Storage
GSL LOGIC
S3Bucket should not have acl.grants contain [uri = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' and (premission = 'FULL_CONTROL' or premission = 'READ')]
REMEDIATION
From Portal:
- Go to Amazon S3 console
- Select the desired S3 bucket you want to change.
- Select the Permissions tab, and then go to Bucket Policy.
- Remove policies for s3:List actions for principals ''. If necessary, modify the policy instead, to limit the access to specific principals.
- Then, select Access Control List, and remove any grants to List objects to Public (everyone) users.
From TF:
resource "aws_s3_bucket" "test" {
bucket = "mybucket"
grant {
type = "Group"
+ permissions = [...] # not "READ" or "WRITE" or "FULL_CONTROL"
uri = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
}
From Command Line:
- Get and put a bucket policy. The following example shows how to download an Amazon S3 bucket policy, make modifications to the file, and then use put-bucket-policy to apply the modified bucket policy. Run following command to download the bucket policy to a file.
aws s3api get-bucket-policy --bucket BUCKET_NAME --query Policy --output text > policy.json
- You can then modify the policy.json file as needed. Finally you can apply this modified policy back to the S3 bucket by running:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy POLICY.JSON
Note: Use action as s3:List* and Effect:Deny. Follow reference links for more details on json policy.
References:
- https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html
- https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CCPA Framework
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HIPAA
- AWS HITRUST
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS Risk Management
- AWS Security Risk Management
Updated over 1 year ago