1. Log in to your AWS Management Console.
2. Go to the S3 service.
3. Select the bucket that is misconfigured.
4. Click on the “Permissions” tab.
5. Click on “Bucket Policy”.
6. Remove any policies that allow write access to authenticated users.
7. You can also add a policy that explicitly denies write access to authenticated users.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAuthenticatedUsers",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "AuthenticatedUser"
                }
            }
        }
    ]
}

8. Click on “Save” to apply the changes.

​

1. Open the AWS CLI on your local machine and run the following command to list all the S3 buckets in your AWS account: aws s3api list-buckets
2. Identify the S3 bucket that has WRITE access to authenticated users.
3. Run the following command to remove WRITE access for authenticated users on the identified S3 bucket: aws s3api put-bucket-acl --bucket bucket-name --grant-write "uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers" Replace bucket-name with the name of the identified S3 bucket.
4. Run the following command to verify that authenticated users no longer have WRITE access to the S3 bucket: aws s3api get-bucket-acl --bucket bucket-name Replace bucket-name with the name of the identified S3 bucket.
5. Verify that the remediation has worked successfully by attempting to write to the S3 bucket using an authenticated user. The attempt should now fail.

1. First, you need to identify the S3 bucket that has WRITE access to authenticated users. You can use the following Python code to list all the S3 buckets and their ACLs:

import boto3

# Create an S3 client
s3 = boto3.client('s3')

# List all the S3 buckets
buckets = s3.list_buckets()

# Iterate through each bucket and print its ACL
for bucket in buckets['Buckets']:
    acl = s3.get_bucket_acl(Bucket=bucket['Name'])
    print(f"Bucket {bucket['Name']} ACL: {acl}")

2. Once you have identified the bucket with WRITE access to authenticated users, you can update its ACL to remove the WRITE access. You can use the following Python code to remove WRITE access from authenticated users:

import boto3

# Create an S3 client
s3 = boto3.client('s3')

# Set the bucket name and grantee type
bucket_name = 'your-bucket-name'
grantee_type = 'AuthenticatedUsers'

# Get the bucket ACL
acl = s3.get_bucket_acl(Bucket=bucket_name)

# Iterate through each grant and remove WRITE access from authenticated users
for grant in acl['Grants']:
    if grant['Grantee']['Type'] == grantee_type:
        acl['Grants'].remove(grant)
        
# Set the updated ACL for the bucket
s3.put_bucket_acl(Bucket=bucket_name, AccessControlPolicy=acl)

3. Run the above code to remove WRITE access from authenticated users for the identified S3 bucket.