S3 Buckets Should Not Allow Public Writes
More Info:
AWS S3 buckets should not be publicly accessible for WRITE actions via S3 access control lists (ACLs), in order to protect your S3 data from unauthorized users.Risk Level
CriticalAddress
SecurityCompliance Standards
HIPAA, PCIDSS, NISTTriage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the misconfiguration in AWS:
- Log in to the AWS Management Console.
- Navigate to the S3 service.
- Click on the name of the bucket that you want to remediate.
- Click on the “Permissions” tab.
- Under the “Block public access (bucket settings)” section, click on “Edit”.
- Uncheck the box next to “Block all public access”.
- Check the box next to “Block public access to buckets and objects granted through new public bucket policies”.
- Check the box next to “Block public and cross-account access to buckets and objects through any public bucket policies”.
- Click on “Save changes”.
Using CLI
Using CLI
The following steps can be taken to remediate the S3 bucket public write issue in AWS using AWS CLI:Replace Replace Note: It is important to regularly audit the S3 buckets in your AWS account to ensure that they are not publicly accessible and have the appropriate access controls in place.
- Open the AWS CLI on your local machine.
- Run the following command to list all the S3 buckets in your AWS account:
- Identify the S3 bucket that has public write access.
- Run the following command to remove public write access from the S3 bucket:
BUCKET-NAME with the name of the S3 bucket that has public write access.- Run the following command to verify that the public write access has been removed from the S3 bucket:
BUCKET-NAME with the name of the S3 bucket that has public write access.- If the above command returns the following output, then public write access has been successfully removed from the S3 bucket:
Using Python
Using Python
To remediate the misconfiguration “S3 Buckets Should Not Allow Public Writes” in AWS, you can use the following steps in Python:The final code to remediate the misconfiguration “S3 Buckets Should Not Allow Public Writes” in AWS using Python will look something like this:
-
Install the AWS SDK for Python (Boto3) using the command
pip install boto3. - Create an S3 client using the following code:
- Get a list of all S3 buckets in your AWS account using the
list_buckets()method:
- For each bucket, check if it allows public write access using the
get_bucket_acl()method:
- If the bucket allows public write access, remove the permission using the
put_bucket_acl()method: