S3 Bucket Should Not Allow WRITE Access to Authenticated Users

More Info:

S3 buckets should not allow WRITE access to AWS authenticated users through S3 ACLs.

Risk Level

Medium

Address

Security

Compliance Standards

CBP, HIPAA

Triage and Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the S3 Bucket Should Not Allow WRITE Access to Authenticated Users misconfiguration for AWS using AWS console:

Log in to your AWS Management Console.
Go to the S3 service.
Select the bucket that is misconfigured.
Click on the “Permissions” tab.
Click on “Bucket Policy”.
Remove any policies that allow write access to authenticated users.
You can also add a policy that explicitly denies write access to authenticated users.

Here is an example of a policy that denies write access to authenticated users:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAuthenticatedUsers",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "AuthenticatedUser"
                }
            }
        }
    ]
}

Click on “Save” to apply the changes.

That’s it! You have now successfully remediated the S3 Bucket Should Not Allow WRITE Access to Authenticated Users misconfiguration for AWS using AWS console.

Using CLI

Using Python

To remediate the misconfiguration “S3 Bucket Should Not Allow WRITE Access to Authenticated Users” in AWS using Python, you can follow these steps:

First, you need to identify the S3 bucket that has WRITE access to authenticated users. You can use the following Python code to list all the S3 buckets and their ACLs:

import boto3

# Create an S3 client
s3 = boto3.client('s3')

# List all the S3 buckets
buckets = s3.list_buckets()

# Iterate through each bucket and print its ACL
for bucket in buckets['Buckets']:
    acl = s3.get_bucket_acl(Bucket=bucket['Name'])
    print(f"Bucket {bucket['Name']} ACL: {acl}")

Once you have identified the bucket with WRITE access to authenticated users, you can update its ACL to remove the WRITE access. You can use the following Python code to remove WRITE access from authenticated users:

import boto3

# Create an S3 client
s3 = boto3.client('s3')

# Set the bucket name and grantee type
bucket_name = 'your-bucket-name'
grantee_type = 'AuthenticatedUsers'

# Get the bucket ACL
acl = s3.get_bucket_acl(Bucket=bucket_name)

# Iterate through each grant and remove WRITE access from authenticated users
for grant in acl['Grants']:
    if grant['Grantee']['Type'] == grantee_type:
        acl['Grants'].remove(grant)
        
# Set the updated ACL for the bucket
s3.put_bucket_acl(Bucket=bucket_name, AccessControlPolicy=acl)

Run the above code to remove WRITE access from authenticated users for the identified S3 bucket.

Note: Make sure you have the necessary permissions to update the ACL of the S3 bucket.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Bucket Should Not Allow WRITE Access to Authenticated Users

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: