lacework-global-138
Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE_ACP permission [modify bucket ACL]
Description
The S3 bucket ACL gives any authenticated AWS user permission to write [or re-write] the bucket ACL. It is best practice to restrict WRITE_ACP permission to only principals who require it.
Note: S3 buckets created with the default/recommended AWS settings have ACLs turned off and are therefore compliant with this policy.
Remediation
Perform the following to revoke WRITE_ACP permission for all AWS users:
- Sign in to the AWS Management Console.
- Select Services.
- Select S3.
- Select the bucket to change.
- Navigate to Permissions.
- Navigate to Access Control List and select Edit.
- Against Authenticated users group (anyone with an AWS account), clear 'Write' under Bucket ACL.
- Select Save changes.
- Repeat steps 4-8 for each bucket requiring updated permissions.