1. Log in to the AWS Management Console.
2. Navigate to the S3 service.
3. Click on the name of the bucket that you want to remediate.
4. Click on the “Permissions” tab.
5. Click on the “Access control list (ACL)” button.
6. Under the “Grantee” column, find the row that has “Authenticated Users”.
7. In the “Permission” column, find the “WRITE_ACP” permission.
8. Click on the “x” button to remove the “WRITE_ACP” permission for “Authenticated Users”.
9. Click on the “Save” button to save the changes.
10. Verify that the “Authenticated Users” group no longer has the “WRITE_ACP” permission by checking the “Access control list (ACL)” again.
11. Repeat these steps for any other S3 buckets that have the same misconfiguration.

​

1. Open the AWS CLI on your local machine.
2. Run the following command to get a list of all S3 buckets in your AWS account:
   Copy

   Ask AI

   aws s3api list-buckets
   

3. Identify the S3 bucket that has WRITE_ACP access granted to authenticated users.
4. Run the following command to revoke WRITE_ACP access for authenticated users:
   Copy

   Ask AI

   aws s3api put-bucket-acl --bucket bucket-name --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers --acl private
   

   Replace “bucket-name” with the name of the S3 bucket that you want to remediate.
5. Verify that WRITE_ACP access for authenticated users has been revoked by running the following command:
   Copy

   Ask AI

   aws s3api get-bucket-acl --bucket bucket-name
   

   Replace “bucket-name” with the name of the S3 bucket that you want to remediate.
6. Repeat the above steps for all S3 buckets that have WRITE_ACP access granted to authenticated users.

1. Create an AWS S3 client using the AWS SDK for Python (Boto3).
2. Get the bucket policy using the get_bucket_policy() method of the S3 client.
3. Parse the JSON policy to identify the statement that allows WRITE_ACP access to authenticated users.
4. Remove the identified statement from the policy.
5. Update the bucket policy using the put_bucket_policy() method of the S3 client.

import boto3
import json

# Create an S3 client
s3 = boto3.client('s3')

# Get the bucket policy
bucket_name = 'your-bucket-name'
policy = s3.get_bucket_policy(Bucket=bucket_name)

# Parse the JSON policy
policy_json = json.loads(policy['Policy'])
statements = policy_json['Statement']

# Identify the statement that allows WRITE_ACP access to authenticated users
for statement in statements:
    if 'Principal' in statement and statement['Principal'] == {'AWS': '*'}:
        if 'Action' in statement and 's3:PutObjectAcl' in statement['Action']:
            if 'Condition' in statement and 'Bool' in statement['Condition']:
                if 'aws:SecureTransport' in statement['Condition']['Bool'] and statement['Condition']['Bool']['aws:SecureTransport'] == 'false':
                    # Remove the identified statement from the policy
                    policy_json['Statement'].remove(statement)

# Update the bucket policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(policy_json))