More Info:

AWS S3 buckets should not allow WRITE_ACP access to AWS authenticated users using ACLs. Granting authenticated “WRITE_ACP” access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions in order to view, upload, modify and delete S3 objects within the buckets without restrictions.

Risk Level

High

Address

Security

Compliance Standards

CBP, PCIDSS, NIST

Triage and Remediation

Remediation

To remediate the “S3 Bucket Should Not Allow WRITE_ACP Access to Authenticated Users” misconfiguration in AWS, you can follow these steps using the AWS console:

  1. Log in to the AWS Management Console.

  2. Navigate to the S3 service.

  3. Click on the name of the bucket that you want to remediate.

  4. Click on the “Permissions” tab.

  5. Click on the “Access control list (ACL)” button.

  6. Under the “Grantee” column, find the row that has “Authenticated Users”.

  7. In the “Permission” column, find the “WRITE_ACP” permission.

  8. Click on the “x” button to remove the “WRITE_ACP” permission for “Authenticated Users”.

  9. Click on the “Save” button to save the changes.

  10. Verify that the “Authenticated Users” group no longer has the “WRITE_ACP” permission by checking the “Access control list (ACL)” again.

  11. Repeat these steps for any other S3 buckets that have the same misconfiguration.

Note: You can also use AWS CLI or AWS SDKs to remediate this misconfiguration.

Additional Reading: