S3 allows authenticated write remediation

Using Console

Sure, here are the step by step instructions to remediate the S3 Bucket Should Not Allow WRITE Access to Authenticated Users misconfiguration for AWS using AWS console:

Log in to your AWS Management Console.
Go to the S3 service.
Select the bucket that is misconfigured.
Click on the “Permissions” tab.
Click on “Bucket Policy”.
Remove any policies that allow write access to authenticated users.
You can also add a policy that explicitly denies write access to authenticated users.

Here is an example of a policy that denies write access to authenticated users:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyAuthenticatedUsers",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalType": "AuthenticatedUser"
                }
            }
        }
    ]
}

Click on “Save” to apply the changes.

That’s it! You have now successfully remediated the S3 Bucket Should Not Allow WRITE Access to Authenticated Users misconfiguration for AWS using AWS console.

Using CLI

Using Python

To remediate the misconfiguration “S3 Bucket Should Not Allow WRITE Access to Authenticated Users” in AWS using Python, you can follow these steps:

First, you need to identify the S3 bucket that has WRITE access to authenticated users. You can use the following Python code to list all the S3 buckets and their ACLs:

import boto3

# Create an S3 client
s3 = boto3.client('s3')

# List all the S3 buckets
buckets = s3.list_buckets()

# Iterate through each bucket and print its ACL
for bucket in buckets['Buckets']:
    acl = s3.get_bucket_acl(Bucket=bucket['Name'])
    print(f"Bucket {bucket['Name']} ACL: {acl}")

Once you have identified the bucket with WRITE access to authenticated users, you can update its ACL to remove the WRITE access. You can use the following Python code to remove WRITE access from authenticated users:

import boto3

# Create an S3 client
s3 = boto3.client('s3')

# Set the bucket name and grantee type
bucket_name = 'your-bucket-name'
grantee_type = 'AuthenticatedUsers'

# Get the bucket ACL
acl = s3.get_bucket_acl(Bucket=bucket_name)

# Iterate through each grant and remove WRITE access from authenticated users
for grant in acl['Grants']:
    if grant['Grantee']['Type'] == grantee_type:
        acl['Grants'].remove(grant)
        
# Set the updated ACL for the bucket
s3.put_bucket_acl(Bucket=bucket_name, AccessControlPolicy=acl)

Run the above code to remove WRITE access from authenticated users for the identified S3 bucket.

Note: Make sure you have the necessary permissions to update the ACL of the S3 bucket.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 allows authenticated write remediation

Triage and Remediation

Remediation