Skip to main content

lacework-global-808

S3 general purpose buckets should block public write access (Automated)

Description

This control checks whether your S3 buckets allow public write access. It evaluates the block public access settings, the bucket policy, and the bucket Access Control List (ACL). The control fails if an Amazon S3 bucket permits public write access.

Some use cases require that everyone on the internet be able to write to your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly writable.

Remediation

Using the Console:

Block Public Access:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, select the bucket to update.
  3. Choose Permissions.
  4. Choose Edit to change the public access settings for the bucket. For more information about the four Amazon S3 Block Public Access Settings, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-options.
  5. Select RestrictPublicBuckets as the setting to change, and then choose Save.
  6. When prompted, type confirm.
  7. Click Confirm to save the changes.

Bucket Policy:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, select the bucket to update.
  3. Navigate to Permissions.
  4. Navigate to Bucket Policy and select Edit.
  5. Check for any Statement with Effect set to 'Allow', Principal set to '' or 'AWS':'', and no conditions.
  6. To disable access, remove the Statement.
  7. To limit access to a specific AWS account or Identity and Access Management (IAM) user, replace the unrestricted Principal element with the Amazon Resource Name (ARN) of the AWS account or user.
  8. Select Save changes.

Bucket Access Control List:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, select the bucket to update.
  3. Navigate to Permissions.
  4. Navigate to Access Control List and select Edit.
  5. Against Everyone (public access), clear 'Write' under Objects. This disables public access. You can use more secure alternatives such as allowing authenticated access from anyone within your AWS accounts, by instead enabling 'Write' on the 'Bucket Owner (your AWS account)' option.
  6. Select Save changes.

Using the CLI:

To enable all Block Public Access settings on the bucket:

aws s3api put-public-access-block --bucket <bucket_name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

References

https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3
https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html#access-control-block-public-access-options

Last updated on