Plugin Title | S3 Bucket All Users ACL |
Cloud | AWS |
Category | S3 |
Description | Ensures S3 buckets do not allow global write, delete, or read ACL permissions |
More Info | S3 buckets can be configured to allow anyone, regardless of whether they are an AWS user or not, to write objects to a bucket or delete objects. This option should not be configured unless there is a strong business requirement. |
AWS Link | http://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html |
Recommended Action | Disable global all users policies on all S3 buckets and ensure both the bucket ACL is configured with least privileges. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for S3.
- Scroll down the left navigation panel and choose "Buckets".
- Select the "Bucket" that needs to be verified and click on its identifier(name) from the "Bucket name" column.
- Click on the "Permissions" tab on the top menu.
- Check the "Access Control List" option under "Permissions" and scroll down the configuration page and check the "Block public access (bucket settings)". If its status is "Off" then public access to your S3 bucket and objects is open.
- Scroll down to "Access control list (ACL)" and verify if the bucket allows "Everyone (public access)".
- If public List, Read or Write is Enabled in step 6 or 7 then disable by clicking "Edit" in "Block public access (bucket settings)" and select "Block all public access" and click "Save changes" button.
- In the "Edit Block public access (bucket settings)" confirmation box type "confirm" in the text box and click "Confirm" button.
- Scroll down to "Access control list (ACL)" and click "Edit". On the "Edit access control list (ACL)" page uncheck all checkboxes other than "Bucket owner (your AWS account)" and click on "Save changes" button.
- Repeat steps number 4 - 10 to disable global write, delete, or read ACL permissions in other S3 buckets.