More Info:
There should not be any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.Risk Level
CriticalAddress
SecurityCompliance Standards
CBP, HITRUST, AWSWAF, SOC2, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the S3 bucket misconfiguration in AWS:
- Log in to the AWS Management Console and navigate to the S3 service.
- Click on the name of the bucket that has the public FULL_CONTROL access.
- Click on the “Permissions” tab and then select “Bucket Policy”.
- Review the policy to see if there is any statement that grants public FULL_CONTROL access.
- If there is any statement that grants public FULL_CONTROL access, remove it from the policy by editing the JSON policy document.
- Alternatively, you can also revoke the public FULL_CONTROL access by selecting the “Access Control List” (ACL) tab and then removing the “Everyone” grantee with FULL_CONTROL access.
- Once you have made the necessary changes, click on the “Save” button to save the updated policy or ACL.
- Finally, test the bucket to ensure that the public FULL_CONTROL access has been remediated.
Using CLI
Using CLI
To remediate this misconfiguration, you can follow these steps using AWS CLI:
- Open your terminal and install the AWS CLI if you haven’t installed it already.
-
Run the following command to list all the S3 buckets in your account:
- Identify the bucket that has public FULL_CONTROL access.
-
Run the following command to remove the public FULL_CONTROL access from the bucket:
Replace
<bucket-name>
with the name of the bucket that you identified in step 3. -
Verify that the public FULL_CONTROL access has been removed by running the following command:
Replace
<bucket-name>
with the name of the bucket that you identified in step 3. The output should show that there are no grants with the permission “FULL_CONTROL” for “AllUsers” or “AuthenticatedUsers”. - Repeat steps 3-5 for any other buckets that have public FULL_CONTROL access.
Using Python
Using Python
To remediate the misconfiguration of an S3 bucket allowing public FULL_CONTROL access, you can follow these steps:
- Open the AWS Management Console and navigate to the S3 service.
- Select the bucket that you want to remediate.
- Click on the “Permissions” tab and then click on the “Access control list (ACL)” option.
- Locate the “Grantee” that is set to “Everyone” and has “FULL_CONTROL” permissions.
- Remove the “Grantee” by clicking on the “x” icon next to it.
- Click on the “Save” button to save the changes.
- Install the Boto3 library by running the following command in your terminal:
- Create a new Python file and import the necessary libraries:
- Create a new S3 client:
- Retrieve the ACL of the bucket:
- Loop through the ACL and remove any grant that has “FULL_CONTROL” permissions for the “AllUsers” group:
- Run the Python script and check the S3 bucket to confirm that the public FULL_CONTROL access has been removed.