S3 allows write remediation

Using Console

Using CLI

The following steps can be taken to remediate the S3 bucket public write issue in AWS using AWS CLI:

Open the AWS CLI on your local machine.
Run the following command to list all the S3 buckets in your AWS account:

aws s3 ls

Identify the S3 bucket that has public write access.
Run the following command to remove public write access from the S3 bucket:

aws s3api put-bucket-acl --bucket BUCKET-NAME --acl private

Replace BUCKET-NAME with the name of the S3 bucket that has public write access.

Run the following command to verify that the public write access has been removed from the S3 bucket:

aws s3api get-bucket-acl --bucket BUCKET-NAME

Replace BUCKET-NAME with the name of the S3 bucket that has public write access.

If the above command returns the following output, then public write access has been successfully removed from the S3 bucket:

{
    "Grants": [
        {
            "Grantee": {
                "Type": "CanonicalUser",
                "ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            },
            "Permission": "FULL_CONTROL"
        }
    ],
    "Owner": {
        "DisplayName": "owner-name",
        "ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    }
}

Note: It is important to regularly audit the S3 buckets in your AWS account to ensure that they are not publicly accessible and have the appropriate access controls in place.

Using Python

To remediate the misconfiguration “S3 Buckets Should Not Allow Public Writes” in AWS, you can use the following steps in Python:

Install the AWS SDK for Python (Boto3) using the command pip install boto3.
Create an S3 client using the following code:

import boto3

s3 = boto3.client('s3')

Get a list of all S3 buckets in your AWS account using the list_buckets() method:

response = s3.list_buckets()

for bucket in response['Buckets']:
    bucket_name = bucket['Name']

For each bucket, check if it allows public write access using the get_bucket_acl() method:

acl = s3.get_bucket_acl(Bucket=bucket_name)

for grant in acl['Grants']:
    grantee = grant['Grantee']
    permission = grant['Permission']
    
    if 'URI' in grantee and grantee['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and permission == 'WRITE':
        # Bucket allows public write access

If the bucket allows public write access, remove the permission using the put_bucket_acl() method:

s3.put_bucket_acl(
    Bucket=bucket_name,
    ACL='private'
)

The final code to remediate the misconfiguration “S3 Buckets Should Not Allow Public Writes” in AWS using Python will look something like this:

import boto3

s3 = boto3.client('s3')

response = s3.list_buckets()

for bucket in response['Buckets']:
    bucket_name = bucket['Name']
    
    acl = s3.get_bucket_acl(Bucket=bucket_name)

    for grant in acl['Grants']:
        grantee = grant['Grantee']
        permission = grant['Permission']

        if 'URI' in grantee and grantee['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and permission == 'WRITE':
            s3.put_bucket_acl(
                Bucket=bucket_name,
                ACL='private'
            )

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 allows write remediation

Triage and Remediation

Remediation