S3 Bucket Should Not Allow Public FULL_CONTROL Access

More Info:

There should not be any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.

Risk Level

Critical

Address

Security

Compliance Standards

CBP, HITRUST, AWSWAF, SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration, you can follow these steps using AWS CLI:

Open your terminal and install the AWS CLI if you haven’t installed it already.
Run the following command to list all the S3 buckets in your account:
```
aws s3api list-buckets
```
Identify the bucket that has public FULL_CONTROL access.
Run the following command to remove the public FULL_CONTROL access from the bucket:
```
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
```
Replace <bucket-name> with the name of the bucket that you identified in step 3.
Verify that the public FULL_CONTROL access has been removed by running the following command:
```
aws s3api get-bucket-acl --bucket <bucket-name>
```
Replace <bucket-name> with the name of the bucket that you identified in step 3. The output should show that there are no grants with the permission “FULL_CONTROL” for “AllUsers” or “AuthenticatedUsers”.
Repeat steps 3-5 for any other buckets that have public FULL_CONTROL access.

By following these steps, you have successfully remediated the misconfiguration of allowing public FULL_CONTROL access to an S3 bucket in AWS.

Using Python

To remediate the misconfiguration of an S3 bucket allowing public FULL_CONTROL access, you can follow these steps:

Open the AWS Management Console and navigate to the S3 service.
Select the bucket that you want to remediate.
Click on the “Permissions” tab and then click on the “Access control list (ACL)” option.
Locate the “Grantee” that is set to “Everyone” and has “FULL_CONTROL” permissions.
Remove the “Grantee” by clicking on the “x” icon next to it.
Click on the “Save” button to save the changes.

To automate this process using Python, you can use the AWS SDK for Python (Boto3) and follow these steps:

Install the Boto3 library by running the following command in your terminal:

pip install boto3

Create a new Python file and import the necessary libraries:

import boto3

Create a new S3 client:

s3 = boto3.client('s3')

Retrieve the ACL of the bucket:

bucket_acl = s3.get_bucket_acl(Bucket='your-bucket-name')

Loop through the ACL and remove any grant that has “FULL_CONTROL” permissions for the “AllUsers” group:

for grant in bucket_acl['Grants']:
    if grant['Grantee']['Type'] == 'Group' and grant['Grantee']['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and grant['Permission'] == 'FULL_CONTROL':
        s3.put_bucket_acl(Bucket='your-bucket-name', AccessControlPolicy={'Grants': [g for g in bucket_acl['Grants'] if g != grant], 'Owner': bucket_acl['Owner']})

Run the Python script and check the S3 bucket to confirm that the public FULL_CONTROL access has been removed.

Note: Make sure to replace “your-bucket-name” with the name of your actual S3 bucket.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Bucket Should Not Allow Public FULL_CONTROL Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: