Triage and Remediation
Remediation
Using Console
Using Console
- Sign in to the AWS Management Console.
- Navigate to the CloudTrail service.
- Select Trails from the navigation pane.
- Identify Trails with Publicly Accessible Buckets:
- Review each trail listed in the CloudTrail console and identify those with publicly accessible S3 buckets.
- Review Bucket ACL and Bucket Policy:
- Click on each trail to view its details.
- Under the “S3 bucket” section, review the bucket ACL and bucket policy for any grants to “AllUsers” or “AuthenticatedUsers” with “FULL_CONTROL” permission.
- Remove Public Access:
- If there are grants allowing public access, you need to remove them:
- Modify the bucket ACL to remove any grants allowing public access.
- Delete the bucket policy if it allows public access.
- If there are grants allowing public access, you need to remove them:
- Repeat for Other Trails:
- Repeat the above steps for all trails with publicly accessible S3 buckets.
Using CLI
Using CLI
- Identify CloudTrail Trails with Publicly Accessible Buckets:
'public-accessible-bucket' with the name of the bucket you’re investigating.- Remove Public Access from S3 Bucket ACL:
BUCKET_NAME with the name of the S3 bucket.- Remove Bucket Policy (if exists):
BUCKET_NAME with the name of the S3 bucket.- Repeat for Other Trails:
- If there are multiple CloudTrail trails with publicly accessible S3 buckets, repeat the above steps for each of them.
Using Python
Using Python
Here’s a Python script to identify and remediate CloudTrail trails with publicly accessible S3 buckets:This Python script identifies CloudTrail trails with publicly accessible S3 buckets and provides a placeholder for the remediation logic. You would need to implement the logic to modify the bucket ACL and bucket policy to remove public access.Make sure to have appropriate IAM permissions for managing CloudTrail trails if you’re using AWS CLI or Python script.