More Info:

AWS S3 buckets should use Object Lock for data protection and/or regulatory compliance and in order to prevent the objects they store from being deleted.

Risk Level

Low

Address

Security

Compliance Standards

HIPAA, SOC2

Triage and Remediation

Remediation

Using Console

To remediate the issue of S3 buckets not having write configuration enabled, you can follow the below steps using AWS console:
  1. Log in to the AWS Management Console.
  2. Navigate to the S3 service.
  3. Select the S3 bucket that you want to remediate.
  4. Click on the “Permissions” tab.
  5. Scroll down to the “Bucket policy” section and click on “Edit”.
  6. Add the following policy to enable write configuration:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowWrite",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutBucketVersioning",
                "s3:PutBucketAcl",
                "s3:PutBucketPolicy",
                "s3:PutBucketLogging",
                "s3:PutBucketWebsite",
                "s3:PutBucketNotification",
                "s3:PutBucketTagging",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name"
            ]
        }
    ]
}
Note: Replace “your-bucket-name” with the actual name of your S3 bucket.
  1. Click on “Save changes” to save the policy.
  2. Verify that the write configuration is now enabled for the S3 bucket by checking the bucket properties.

To remediate the S3 bucket write configuration misconfiguration in AWS using AWS CLI, follow the steps below:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the S3 buckets in your AWS account: 
    aws s3 ls
  3. Identify the S3 bucket that has the write configuration misconfiguration.
  4. Run the following command to update the bucket policy to enable write configuration: 
    aws s3api put-bucket-policy --bucket <bucket-name> --policy file://policy.json
    Note: Replace <bucket-name> with the name of the S3 bucket that needs to be updated with the write configuration.
  5. Create a file named policy.json and add the following JSON code to it: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}
    Note: Replace <bucket-name> with the name of the S3 bucket that needs to be updated with the write configuration.
  6. Save the policy.json file and run the command in step 4.
  7. Verify that the write configuration has been enabled for the S3 bucket by running the following command: 
    aws s3api get-bucket-policy --bucket <bucket-name>
    Note: Replace <bucket-name> with the name of the S3 bucket that has been updated with the write configuration.
  8. The command in step 7 should return the updated bucket policy with the write configuration enabled.
By following the above steps, you can remediate the S3 bucket write configuration misconfiguration in AWS using AWS CLI.
To remediate the S3 bucket write configuration issue in AWS using Python, you can follow these steps:
  1. Import the necessary libraries:
import boto3
from botocore.exceptions import ClientError
  1. Create an S3 client:
s3 = boto3.client('s3')
  1. Get a list of all the S3 buckets in your account:
buckets = s3.list_buckets()
  1. For each bucket, check if the bucket policy allows write access:
for bucket in buckets['Buckets']:
    bucket_name = bucket['Name']
    try:
        bucket_policy = s3.get_bucket_policy(Bucket=bucket_name)
        policy_text = bucket_policy['Policy']
        if 's3:PutObject' not in policy_text:
            # Add the 's3:PutObject' permission to the bucket policy
            new_policy = {
                'Version': '2012-10-17',
                'Statement': [{
                    'Sid': 'AddPerm',
                    'Effect': 'Allow',
                    'Principal': '*',
                    'Action': ['s3:PutObject'],
                    'Resource': f'arn:aws:s3:::{bucket_name}/*'
                }]
            }
            s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(new_policy))
            print(f'Write access added to bucket {bucket_name}')
        else:
            print(f'Bucket {bucket_name} already has write access')
    except ClientError as e:
        if e.response['Error']['Code'] == 'NoSuchBucketPolicy':
            # Create a new bucket policy with the 's3:PutObject' permission
            new_policy = {
                'Version': '2012-10-17',
                'Statement': [{
                    'Sid': 'AddPerm',
                    'Effect': 'Allow',
                    'Principal': '*',
                    'Action': ['s3:PutObject'],
                    'Resource': f'arn:aws:s3:::{bucket_name}/*'
                }]
            }
            s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(new_policy))
            print(f'Write access added to bucket {bucket_name}')
        else:
            print(f'Error: {e}')
This code will check each bucket in your account and add the ‘s3:PutObject’ permission to the bucket policy if it’s not already there. If the bucket doesn’t have a policy, it will create one with the ‘s3:PutObject’ permission.

Additional Reading: