S3 Bucket Should Not Allow Public READ_ACP Access

More Info:

AWS S3 buckets should not allow public READ_ACP access. Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data.

Risk Level

Medium

Address

Security

Compliance Standards

PCIDSS, NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” in AWS using AWS CLI, follow the below steps:Step 1: Open the AWS CLI on your local machine or EC2 instance.Step 2: Run the following command to list all the S3 buckets in your AWS account.

aws s3api list-buckets

Step 3: Identify the bucket that has public READ_ACP access and note down the bucket name.Step 4: Run the following command to remove the public READ_ACP access from the identified S3 bucket.

aws s3api put-bucket-acl --bucket <bucket-name> --acl private

Replace <bucket-name> with the name of the identified S3 bucket.Step 5: Verify that the public READ_ACP access has been removed from the S3 bucket by running the following command.

aws s3api get-bucket-acl --bucket <bucket-name>

This command will return the access control list (ACL) of the S3 bucket. Ensure that there are no grants with the permission “READ_ACP” for “AllUsers” or “AuthenticatedUsers”.By following the above steps, you can remediate the misconfiguration “S3 Bucket Should Not Allow Public READ_ACP Access” in AWS using AWS CLI.

Using Python

To remediate the S3 Bucket should not allow public READ_ACP access issue in AWS, you can follow the below steps using Python:

Import the required AWS SDKs and libraries in your Python script.

import boto3
from botocore.exceptions import ClientError

Initialize the S3 client using the AWS SDK for Python (Boto3) and provide the necessary AWS credentials.

s3 = boto3.client('s3',
    aws_access_key_id='<your_access_key_id>',
    aws_secret_access_key='<your_secret_access_key>'
)

Iterate over all the S3 buckets in your AWS account and check if any of them have public READ_ACP access.

buckets = s3.list_buckets()['Buckets']

for bucket in buckets:
    try:
        acl = s3.get_bucket_acl(Bucket=bucket['Name'])
        grants = acl['Grants']
        
        for grant in grants:
            if 'URI' in grant['Grantee'] and grant['Permission'] == 'READ_ACP':
                print(f"Bucket {bucket['Name']} has public READ_ACP access.")
                # remediation steps go here
                break
    except ClientError as e:
        print(f"Error getting ACL for bucket {bucket['Name']}: {e}")

If any S3 bucket has public READ_ACP access, update its bucket policy to deny public READ_ACP access.

bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObjectAcl",
            "Resource": f"arn:aws:s3:::{bucket['Name']}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "public-read"
                }
            }
        }
    ]
}

s3.put_bucket_policy(Bucket=bucket['Name'], Policy=json.dumps(bucket_policy))

This will update the bucket policy for the S3 bucket to deny public READ_ACP access.

Additional Reading:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 Bucket Should Not Allow Public READ_ACP Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: