Skip to main content

lacework-global-811

Restrict S3 bucket policy permissions granted to other AWS accounts (Automated)

Description

This policy checks for S3 buckets with policies that do not prevent principals from other AWS accounts from performing denied actions on resources in the S3 bucket. An S3 bucket is non-compliant if the S3 bucket policy allows one or more of the actions listed below for a principal in another AWS account.

  • '*',
  • 's3:*',
  • 's3:Delete*',
  • 's3:Put*',
  • 's3:DeleteBucketPolicy',
  • 's3:PutBucketAcl',
  • 's3:PutBucketPolicy',
  • 's3:PutEncryptionConfiguration',
  • 's3:PutObjectAcl'

Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Storage > S3.
  4. Choose the bucket with the overly permissive policy.
  5. Navigate to the permissions tab, and click Edit under Bucket policy.
  6. Update the policy to either restrict the Principals and/or remove the Actions listed below:
    • Action:
      • '*',
      • 's3:*',
      • 's3:Delete*',
      • 's3:Put*',
      • 's3:DeleteBucketPolicy',
      • 's3:PutBucketAcl',
      • 's3:PutBucketPolicy',
      • 's3:PutEncryptionConfiguration',
      • 's3:PutObjectAcl'
    • Principal:
      • '*'
      • 'AWS:*'
  7. Click Save changes.

From CLI:

Create a bucket policy and save as a JSON file:

{
  "Version": "2012-10-17",
  "Id": "my_bucket_policy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
          "AWS": "<aws_account_id>"
      },
      "Action": "s3:Get*",
      "Resource": [
          "arn:aws:s3:::<bucket_name>",
          "arn:aws:s3:::<bucket_name>/*"
      ]
    }
  ]
}

Then run the following command - Note: This replaces any existing bucket policy:

aws s3 put-bucket-policy --bucket <bucket_name> --policy <policy_filename>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-6
https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

Last updated on