Amazon_S3_38

Ensure that S3 Bucket policy doesn't allow actions from all principals.(Condition exists)

Description

Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion. S3 bucket policy should ensure that principal of least privilege is being followed. A condition statement can be used to control the scope of the policy.

Remediation

From Portal:
1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
3. Choose Permissions.
4. Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
5. In the Policy box, edit the existing policy.
6. Choose Save changes, which returns you to the Bucket Permissions page.

From Command Line:
To add a policy with required permissions and appropriate condition as needed, run:

aws s3api put-bucket-policy –bucket BUCKET-NAME –policy file://policy.json

References:
1. https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
3. https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

Service

S3

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!