Amazon_S3_14

Ensure S3 buckets should not have world-readable permission from anonymous users

Description

AWS S3 buckets content cannot be publicly listed in order to protect against unauthorized access. An S3 bucket that grants READ (LIST) access to everyone can allow anonymous users to list the objects within the bucket. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured ACL permissions and access these compromised objects.

Remediation

There are two methods to remove world access to your S3 bucket :

A. To Remove ACL access permissions for an S3 bucket which is world writable:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, choose the name of the bucket that you want to set permissions for.
  3. Choose Permissions.
  4. In the public access section click on the Everyone check box.
  5. Uncheck the Read objects checbox.
  6. Click on save.

B. Perform the following steps to modify the policy :

  1. Sign in to the AWS Management Console.
  2. Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
  3. Select the S3 bucket that you want to examine and click the Permissions tab.
  4. Inside the Permissions click on Bucket policy tab.
  5. Now Edit bucket policy to access the bucket policy currently used.
  6. In the Bucket Policy Editor dialog box, verify the Effect and Principal policy elements. Effect describes the permission effect that will be used when the user requests the action(s) defined in the policy – the element value can be either Allow or Deny. The Principal is the account or the user that has access to the actions and resources declared in the policy statement. If the Effect element value is set to Allow Read actions and the Principal element value is set to “*” (i.e. everyone) or {“AWS”: “*”}, the selected S3 bucket is publicly accessible unless there is a Condition element, and can be marked as insecure.
  7. Change the Principal value which is “*” to Principal element specifying the user, account, service, or other entity that should be allowed or denied access to a resource.
  8. Repeat steps no. 3 &ndash

Service

S3

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!