Skip to main content

lacework-global-101

Ensure the attached S3 bucket policy does not grant global 'Put' permission (Automated)

Description

An S3 bucket has a policy which allows global 'Put' permission to everyone, and the Block Public Access setting 'RestrictPublicBuckets' is not enabled at the bucket or account level. It is a best practice to restrict access to specific rather than global actions, and to enable the Block Public Access setting 'RestrictPublicBuckets' for buckets with policies granting access to everyone.

Remediation

Perform the following to remove List permissions for everyone from the S3 bucket:

  1. Sign in to the AWS Management Console

  2. Select Services

  3. Select S3

  4. Select an S3 bucket

  5. Select Permissions

  6. Select Edit next to Bucket policy

  7. Locate any statement with Effect value set to 'Allow' with a Principal element set to '' or 'AWS':'' and no conditions

  8. To entirely disable access remove the statement

  9. To limit permissions to specific actions, replace global 'Put' actions with specific 'Put' actions

  10. Select Save changes

  11. Repeat steps 4-10 for each bucket requiring updated permissions

Enable all Block Public Access settings (recommended), or the specific 'RestrictPublicBuckets' setting at the bucket level

From Console:

  1. Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

  2. Select the bucket.

  3. Select Permissions.

  4. Click Edit under 'Block public access (bucket settings)'.

  5. Click 'Block all public access' to enable all Block Public Access settings, or check the box next to 'Block public and cross-account access to buckets and objects through any public bucket or access point policies' to enable 'RestrictPublicBuckets' only.

  6. Click Save changes, enter 'confirm', and click Confirm.

  7. Repeat for all buckets that do not need to be public.

From Command Line:

To enable all Block Public Access settings on the bucket:

aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

To enable 'RestrictPublicBuckets' on the bucket:

aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration RestrictPublicBuckets=true

Enable all Block Public Access settings (recommended), or the specific 'RestrictPublicBuckets' setting at the account level

From Console:

  1. Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.

  2. Select 'Block Public Access settings for this account'.

  3. Click Edit.

  4. Check the box next to 'Block all public access' to enable all Block Public Access settings, or check the box next to 'Block public and cross-account access to buckets and objects through any public bucket or access point policies' to enable 'RestrictPublicBuckets' only.

  5. Click Confirm, enter 'confirm', and click Confirm.

From Command Line:

To enable all Block Public Access settings on the account:

aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id <value>

To enable 'RestrictPublicBuckets' on the account:

aws s3control put-public-access-block --public-access-block-configuration RestrictPublicBuckets=true --account-id <value>

References

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html