AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
S3 Buckets Should Have Object Lock Enabled
More Info:
AWS S3 buckets should use Object Lock for data protection and/or regulatory compliance and in order to prevent the objects they store from being deleted.
Risk Level
Low
Address
Security
Compliance Standards
HIPAA, SOC2
Triage and Remediation
Remediation
To remediate the issue of S3 buckets not having write configuration enabled, you can follow the below steps using AWS console:
- Log in to the AWS Management Console.
- Navigate to the S3 service.
- Select the S3 bucket that you want to remediate.
- Click on the “Permissions” tab.
- Scroll down to the “Bucket policy” section and click on “Edit”.
- Add the following policy to enable write configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowWrite",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutBucketVersioning",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketLogging",
"s3:PutBucketWebsite",
"s3:PutBucketNotification",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::your-bucket-name"
]
}
]
}
Note: Replace “your-bucket-name” with the actual name of your S3 bucket.
- Click on “Save changes” to save the policy.
- Verify that the write configuration is now enabled for the S3 bucket by checking the bucket properties.
To remediate the S3 bucket write configuration misconfiguration in AWS using AWS CLI, follow the steps below:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the S3 buckets in your AWS account:
aws s3 ls
-
Identify the S3 bucket that has the write configuration misconfiguration.
-
Run the following command to update the bucket policy to enable write configuration:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://policy.json
Note: Replace
<bucket-name>
with the name of the S3 bucket that needs to be updated with the write configuration. -
Create a file named
policy.json
and add the following JSON code to it:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": [ "arn:aws:s3:::<bucket-name>/*" ] } ] }
Note: Replace
<bucket-name>
with the name of the S3 bucket that needs to be updated with the write configuration. -
Save the
policy.json
file and run the command in step 4. -
Verify that the write configuration has been enabled for the S3 bucket by running the following command:
aws s3api get-bucket-policy --bucket <bucket-name>
Note: Replace
<bucket-name>
with the name of the S3 bucket that has been updated with the write configuration. -
The command in step 7 should return the updated bucket policy with the write configuration enabled.
By following the above steps, you can remediate the S3 bucket write configuration misconfiguration in AWS using AWS CLI.
To remediate the S3 bucket write configuration issue in AWS using Python, you can follow these steps:
- Import the necessary libraries:
import boto3
from botocore.exceptions import ClientError
- Create an S3 client:
s3 = boto3.client('s3')
- Get a list of all the S3 buckets in your account:
buckets = s3.list_buckets()
- For each bucket, check if the bucket policy allows write access:
for bucket in buckets['Buckets']:
bucket_name = bucket['Name']
try:
bucket_policy = s3.get_bucket_policy(Bucket=bucket_name)
policy_text = bucket_policy['Policy']
if 's3:PutObject' not in policy_text:
# Add the 's3:PutObject' permission to the bucket policy
new_policy = {
'Version': '2012-10-17',
'Statement': [{
'Sid': 'AddPerm',
'Effect': 'Allow',
'Principal': '*',
'Action': ['s3:PutObject'],
'Resource': f'arn:aws:s3:::{bucket_name}/*'
}]
}
s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(new_policy))
print(f'Write access added to bucket {bucket_name}')
else:
print(f'Bucket {bucket_name} already has write access')
except ClientError as e:
if e.response['Error']['Code'] == 'NoSuchBucketPolicy':
# Create a new bucket policy with the 's3:PutObject' permission
new_policy = {
'Version': '2012-10-17',
'Statement': [{
'Sid': 'AddPerm',
'Effect': 'Allow',
'Principal': '*',
'Action': ['s3:PutObject'],
'Resource': f'arn:aws:s3:::{bucket_name}/*'
}]
}
s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(new_policy))
print(f'Write access added to bucket {bucket_name}')
else:
print(f'Error: {e}')
This code will check each bucket in your account and add the ‘s3:PutObject’ permission to the bucket policy if it’s not already there. If the bucket doesn’t have a policy, it will create one with the ‘s3:PutObject’ permission.