S3 Bucket Should Not Allow FULL_CONTROL Access to Authenticated Users

More Info:

AWS S3 buckets should not be granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or AWS IAM users) in order to prevent unauthorized access. Exposing your S3 buckets to AWS signed accounts or users can lead to data leaks, data loss and unexpected charges for the S3 service.

Risk Level

High

Address

Security

Compliance Standards

CBP, AWSWAF, PCIDSS, NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration in AWS, you can follow the below steps using AWS CLI:

Open the AWS CLI and run the following command to list all the S3 buckets in your account:
```
aws s3api list-buckets
```
Identify the S3 bucket that is allowing FULL_CONTROL access to authenticated users.
Run the following command to remove the FULL_CONTROL access for authenticated users:
```
aws s3api put-bucket-acl --bucket <bucket-name> --grant-full-control id=uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
```
Replace <bucket-name> with the name of the S3 bucket that you want to remediate.
Verify that the FULL_CONTROL access for authenticated users has been removed by running the following command:
```
aws s3api get-bucket-acl --bucket <bucket-name>
```
This command will display the access control list (ACL) for the specified S3 bucket. Verify that the authenticated users no longer have FULL_CONTROL access.
Repeat the above steps for any other S3 buckets that are allowing FULL_CONTROL access to authenticated users.

By following the above steps, you can remediate the misconfiguration in AWS where S3 bucket is allowing FULL_CONTROL access to authenticated users.

Using Python

To remediate the misconfiguration “S3 Bucket Should Not Allow FULL_CONTROL Access to Authenticated Users” in AWS using Python, you can follow these steps:

First, you need to identify the S3 buckets that have full control access to authenticated users. You can use the AWS SDK for Python (Boto3) to list all the S3 buckets and their access control lists (ACLs).

import boto3

s3 = boto3.client('s3')

# List all the S3 buckets
buckets = s3.list_buckets()

# Iterate over the buckets and their ACLs
for bucket in buckets['Buckets']:
    bucket_name = bucket['Name']
    acl = s3.get_bucket_acl(Bucket=bucket_name)
    print(f"Bucket {bucket_name} ACL: {acl}")

Once you have identified the buckets with full control access to authenticated users, you can update their ACLs to remove the FULL_CONTROL permission for authenticated users. You can use the put_bucket_acl method of the S3 client to update the ACL.

import boto3

s3 = boto3.client('s3')

# Update the ACL for the bucket to remove FULL_CONTROL permission for authenticated users
s3.put_bucket_acl(
    Bucket='my-bucket',
    GrantFullControl='',
    GrantRead='',
    GrantWrite='',
    GrantReadACP='',
    GrantWriteACP='',
    AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'READ'
            },
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'WRITE'
            },
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'READ_ACP'
            },
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'WRITE_ACP'
            }
        ],
        'Owner': {
            'DisplayName': 'string',
            'ID': 'string'
        }
    }
)

This will remove the FULL_CONTROL permission for authenticated users from the ACL of the specified bucket. You can repeat this step for all the buckets that have full control access to authenticated users.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Bucket Should Not Allow FULL_CONTROL Access to Authenticated Users

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: