More Info:
AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.Risk Level
MediumAddress
SecurityCompliance Standards
PCIDSS, NISTTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step by step instructions to remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” for AWS using AWS console:
- Log in to your AWS console.
- Navigate to the S3 service.
- Select the S3 bucket that you want to remediate.
- Click on the “Permissions” tab.
- Scroll down to the “Access control list (ACL)” section.
- Click on the “Edit” button next to the “Public access” option.
- Uncheck the “List objects” checkbox under the “Access for Everyone” section.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” in AWS using AWS CLI, follow the below steps:Step 1: Open the AWS CLI on your local machine or EC2 instance.Step 2: Run the following command to list all the S3 buckets in your AWS account.Step 3: Identify the bucket that has public READ_ACP access and note down the bucket name.Step 4: Run the following command to remove the public READ_ACP access from the identified S3 bucket.Replace This command will return the access control list (ACL) of the S3 bucket. Ensure that there are no grants with the permission “READ_ACP” for “AllUsers” or “AuthenticatedUsers”.By following the above steps, you can remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” in AWS using AWS CLI.
<bucket-name>
with the name of the identified S3 bucket.Step 5: Verify that the public READ_ACP access has been removed from the S3 bucket by running the following command.Using Python
Using Python
To remediate the S3 Bucket should not allow public READ_ACP access issue in AWS, you can follow the below steps using Python:This will update the bucket policy for the S3 bucket to deny public READ_ACP access.
- Import the required AWS SDKs and libraries in your Python script.
- Initialize the S3 client using the AWS SDK for Python (Boto3) and provide the necessary AWS credentials.
- Iterate over all the S3 buckets in your AWS account and check if any of them have public READ_ACP access.
- If any S3 bucket has public READ_ACP access, update its bucket policy to deny public READ_ACP access.