lacework-global-140
Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone (Automated)
Description
An S3 bucket has a policy which allows permission to everyone, and the Block Public Access setting 'RestrictPublicBuckets' is not enabled at the bucket or account level. It is a best practice to restrict access to specific principals, and to enable the Block Public Access setting 'RestrictPublicBuckets' for buckets with policies granting access to everyone.
Remediation
Perform the following to remove permissions for everyone from the S3 bucket:
Sign in to the AWS Management Console
Select Services
Select S3
Select the bucket to change
Navigate to Permissions
Navigate to Bucket Policy and select Edit
Check for any Statement with Effect set to 'Allow', Principal set to '*' or 'AWS':'*', and no conditions
To disable access, remove the Statement
To limit access to a specific AWS account or IAM user, replace the unrestricted Principal element with the Amazon Resource Name (ARN) of the AWS account or user
Select Save changes
Repeat steps 4-10 for each bucket requiring updated permissions
Enable all Block Public Access settings (recommended), or the specific 'RestrictPublicBuckets' setting at the bucket level
From Console:
Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Select the bucket.
Select Permissions.
Click Edit under 'Block public access (bucket settings)'.
Click 'Block all public access' to enable all Block Public Access settings, or check the box next to 'Block public and cross-account access to buckets and objects through any public bucket or access point policies' to enable 'RestrictPublicBuckets' only.
Click Save changes, enter 'confirm', and click Confirm.
Repeat for all buckets that do not need to be public.
From Command Line:
To enable all Block Public Access settings on the bucket:
aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
To enable 'RestrictPublicBuckets' on the bucket:
aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration RestrictPublicBuckets=true
Enable all Block Public Access settings (recommended), or the specific 'RestrictPublicBuckets' setting at the account level
From Console:
Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.
Select 'Block Public Access settings for this account'.
Click Edit.
Check the box next to 'Block all public access' to enable all Block Public Access settings, or check the box next to 'Block public and cross-account access to buckets and objects through any public bucket or access point policies' to enable 'RestrictPublicBuckets' only.
Click Confirm, enter 'confirm', and click Confirm.
From Command Line:
To enable all Block Public Access settings on the account:
aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id <value>
To enable 'RestrictPublicBuckets' on the account:
aws s3control put-public-access-block --public-access-block-configuration RestrictPublicBuckets=true --account-id <value>
References
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html