S3 Buckets shouldn't be Publicly Open

Granting access for the public to have read or write access to an S3 bucket is critical issue. Leaving a S3 bucket open for public access can lead to severe security issues such as data loss and unexpected charges on your AWS bill.

Article Tags
On This Page
ParametersWhat this rule checksRemediation

Parameters

None

What this rule checks

The S3 Buckets shouldn't be Publicly Open rule checks the following four conditions are met:

  • That READ or READ_ACP access is not granted to groups AllUsers or AllAuthenticatedUsers.
  • That WRITE or WRITE_ACP access is not granted to groups AllUsers or AllAuthenticatedUsers.
  • That FULL_CONTROL is not granted to groups AllUsers or AllAuthenticatedUsers.
  • The s3:GetGetObject, s3:PutObject, or s3:DeleteObject action with the effect of Allow is not granted to principal:*

Example failing policy:

{
  "Id": "Policy1234567890",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetData",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::app/*",
      "Principal": "*" ## <--- this will cause the rule to fail
    }
  ]
}

Remediation

Remediating READ, READ_ACP, WRITE, WRITE_ACP, FULL_CONTROL access:
  1. To stop your S3 bucket from being publicly open use the put-bucket-acl command to update the bucket permissions.
aws s3api put-bucket-acl
    --bucket app-directory
    --acl private
  1. Repeat step 1 for each bucket that you want to reconfigure.
Remediating principal:* access:
  1. To stop a bucket from being accessible to everyone you will need to create a bucket policy that restricts the principal. The following example allows access to the bucket for only the root user. Here is an example:
{
  "Id": "Policy1234567890",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetData",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::app/*",
            "Principal": { "AWS": "arn:aws:iam::123456789012:root" }
    }
  ]
}
  1. Use the delete-bucket-policy to completely remove the public access from the bucket.
aws s3api delete-bucket-policy
    --bucket app
  1. Use the put-bucket-policy command with the bucket policy that you created in step 1.
aws s3api put-bucket-policy
    --bucket app
    --policy file://bucket-policy.json
  1. Repeat steps 1-3 for each bucket that is failing.