Skip to main content

lacework-global-140

Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone (Automated)

Description

An S3 bucket has a policy which allows permission to everyone, and the Block Public Access setting 'RestrictPublicBuckets' is not enabled at the bucket or account level. It is a best practice to restrict access to specific principals, and to enable the Block Public Access setting 'RestrictPublicBuckets' for buckets with policies granting access to everyone.

Remediation

Perform the following to remove permissions for everyone from the S3 bucket:

  1. Sign in to the AWS Management Console

  2. Select Services

  3. Select S3

  4. Select the bucket to change

  5. Navigate to Permissions

  6. Navigate to Bucket Policy and select Edit

  7. Check for any Statement with Effect set to 'Allow', Principal set to '*' or 'AWS':'*', and no conditions

  8. To disable access, remove the Statement

  9. To limit access to a specific AWS account or IAM user, replace the unrestricted Principal element with the Amazon Resource Name (ARN) of the AWS account or user

  10. Select Save changes

  11. Repeat steps 4-10 for each bucket requiring updated permissions

Enable all Block Public Access settings (recommended), or the specific 'RestrictPublicBuckets' setting at the bucket level

From Console:

  1. Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

  2. Select the bucket.

  3. Select Permissions.

  4. Click Edit under 'Block public access (bucket settings)'.

  5. Click 'Block all public access' to enable all Block Public Access settings, or check the box next to 'Block public and cross-account access to buckets and objects through any public bucket or access point policies' to enable 'RestrictPublicBuckets' only.

  6. Click Save changes, enter 'confirm', and click Confirm.

  7. Repeat for all buckets that do not need to be public.

From Command Line:

To enable all Block Public Access settings on the bucket:

aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

To enable 'RestrictPublicBuckets' on the bucket:

aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration RestrictPublicBuckets=true

Enable all Block Public Access settings (recommended), or the specific 'RestrictPublicBuckets' setting at the account level

From Console:

  1. Login to the AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.

  2. Select 'Block Public Access settings for this account'.

  3. Click Edit.

  4. Check the box next to 'Block all public access' to enable all Block Public Access settings, or check the box next to 'Block public and cross-account access to buckets and objects through any public bucket or access point policies' to enable 'RestrictPublicBuckets' only.

  5. Click Confirm, enter 'confirm', and click Confirm.

From Command Line:

To enable all Block Public Access settings on the account:

aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id <value>

To enable 'RestrictPublicBuckets' on the account:

aws s3control put-public-access-block --public-access-block-configuration RestrictPublicBuckets=true --account-id <value>

References

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-account.html