More Info:
AWS S3 buckets should not allow public WRITE_ACP access. Granting public “WRITE_ACP” access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.Risk Level
HighAddress
SecurityCompliance Standards
NIST, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “S3 Bucket Should Not Allow Public WRITE_ACP Access” for AWS using the AWS console, please follow the below steps:
- Log in to your AWS console.
- Navigate to S3 service.
- Select the bucket that has public WRITE_ACP access.
- Click on the “Permissions” tab.
- Scroll down to “Access Control List (ACL)” and click on it.
- Look for any entries that have the “Grantee” set to “All Users” or “Authenticated Users”.
- If you find any such entries, select them and click on the “Revoke” button to remove the public WRITE_ACP access.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “S3 Bucket Should Not Allow Public WRITE_ACP Access” for AWS using AWS CLI, you can follow these steps:Replace BUCKET_NAME with the name of the S3 bucket that you want to update.Replace BUCKET_NAME with the name of the S3 bucket that you updated in step 3.
- Open the AWS CLI on your local machine or EC2 instance.
- Identify the S3 bucket that is allowing public WRITE_ACP access. You can use the following command to list all the S3 buckets in your AWS account:
- Once you have identified the bucket, you can use the following command to update the bucket policy to remove public WRITE_ACP access:
- Verify that the bucket policy has been updated successfully by running the following command:
- Check if the misconfiguration has been remediated by running a security scan or audit on your AWS account.
Using Python
Using Python
To remediate the issue of S3 Bucket allowing public WRITE_ACP access in AWS using Python, you can follow the below steps:This will set the bucket ACL to private and remove the public WRITE_ACP access.
- Install the AWS SDK for Python (boto3) using the following command:
- Create a boto3 S3 client object using the following code:
- Get the bucket policy using the
get_bucket_policy
method of the S3 client object:
- Check if the bucket policy allows public WRITE_ACP access. You can use the following code to check this:
- If the bucket policy allows public WRITE_ACP access, you can remove it using the
put_bucket_acl
method of the S3 client object. You can use the following code to remove the public WRITE_ACP access: