More Info:

AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.

Risk Level

Medium

Address

Security

Compliance Standards

PCIDSS, NIST

Triage and Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” for AWS using AWS console:
  1. Log in to your AWS console.
  2. Navigate to the S3 service.
  3. Select the S3 bucket that you want to remediate.
  4. Click on the “Permissions” tab.
  5. Scroll down to the “Access control list (ACL)” section.
  6. Click on the “Edit” button next to the “Public access” option.
  7. Uncheck the “List objects” checkbox under the “Access for Everyone” section.
  8. Click on the “Save” button to save the changes.
By following the above steps, you have successfully remediated the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” for AWS using AWS console.

To remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” in AWS using AWS CLI, follow the below steps:Step 1: Open the AWS CLI on your local machine or EC2 instance.Step 2: Run the following command to list all the S3 buckets in your AWS account.
aws s3api list-buckets
Step 3: Identify the bucket that has public READ_ACP access and note down the bucket name.Step 4: Run the following command to remove the public READ_ACP access from the identified S3 bucket.
aws s3api put-bucket-acl --bucket <bucket-name> --acl private
Replace <bucket-name> with the name of the identified S3 bucket.Step 5: Verify that the public READ_ACP access has been removed from the S3 bucket by running the following command.
aws s3api get-bucket-acl --bucket <bucket-name>
This command will return the access control list (ACL) of the S3 bucket. Ensure that there are no grants with the permission “READ_ACP” for “AllUsers” or “AuthenticatedUsers”.By following the above steps, you can remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” in AWS using AWS CLI.
To remediate the S3 Bucket should not allow public READ_ACP access issue in AWS, you can follow the below steps using Python:
  1. Import the required AWS SDKs and libraries in your Python script.
import boto3
from botocore.exceptions import ClientError
  1. Initialize the S3 client using the AWS SDK for Python (Boto3) and provide the necessary AWS credentials.
s3 = boto3.client('s3',
    aws_access_key_id='<your_access_key_id>',
    aws_secret_access_key='<your_secret_access_key>'
)
  1. Iterate over all the S3 buckets in your AWS account and check if any of them have public READ_ACP access.
buckets = s3.list_buckets()['Buckets']

for bucket in buckets:
    try:
        acl = s3.get_bucket_acl(Bucket=bucket['Name'])
        grants = acl['Grants']
        
        for grant in grants:
            if 'URI' in grant['Grantee'] and grant['Permission'] == 'READ_ACP':
                print(f"Bucket {bucket['Name']} has public READ_ACP access.")
                # remediation steps go here
                break
    except ClientError as e:
        print(f"Error getting ACL for bucket {bucket['Name']}: {e}")
  1. If any S3 bucket has public READ_ACP access, update its bucket policy to deny public READ_ACP access.
bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObjectAcl",
            "Resource": f"arn:aws:s3:::{bucket['Name']}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "public-read"
                }
            }
        }
    ]
}

s3.put_bucket_policy(Bucket=bucket['Name'], Policy=json.dumps(bucket_policy))
This will update the bucket policy for the S3 bucket to deny public READ_ACP access.

Additional Reading: