AWS S3 buckets should not allow public WRITE_ACP access. Granting public “WRITE_ACP” access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.
Check if the bucket policy allows public WRITE_ACP access. You can use the following code to check this:
Copy
Ask AI
import jsonbucket_policy_json = json.loads(bucket_policy['Policy'])if 'Statement' in bucket_policy_json: for statement in bucket_policy_json['Statement']: if 'Effect' in statement and statement['Effect'] == 'Allow': if 'Principal' in statement and statement['Principal'] == '*': if 'Action' in statement and 's3:PutBucketAcl' in statement['Action']: print('Public WRITE_ACP access is allowed')
If the bucket policy allows public WRITE_ACP access, you can remove it using the put_bucket_acl method of the S3 client object. You can use the following code to remove the public WRITE_ACP access: