More Info:

AWS S3 buckets should not be publicly accessible via bucket policies in order to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.

Risk Level

Critical

Address

Security

Compliance Standards

CBP, GDPR

Triage and Remediation

Remediation

  1. Open the AWS S3 Console.
  2. Navigate to the specific S3 bucket for which you want to block public access.
  3. Click on the “Permissions” tab.
  4. Scroll down to the “Block public access” section.
  5. Edit the settings to block all public access.
  6. Save the changes.

Alternate option

  1. Sign in to the AWS Management Console**.
  2. Navigate to the S3 service**.
  3. Select the bucket you want to remediate**.
  4. Review Bucket Policy**:
    • Click on the Permissions tab.
    • Click on Bucket Policy.
    • Review the JSON policy document displayed.
  5. Identify Statements Allowing Public Access**:
    • Look for statements with "Effect": "Allow" and "Principal": "*".
    • These statements grant public access to resources in the bucket.
  6. Modify the Bucket Policy**:
    • Remove or modify the identified statements to restrict public access.
    • You can remove the entire statement or modify the Principal or Action to limit access.
    • For example, you can change "Principal": "*" to "Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:root"} to grant access only to the AWS account root user.
  7. Save Changes**:
    • After making modifications, click Save or Apply Changes to save the updated bucket policy.
  8. Repeat for Other Buckets**:
    • Repeat the above steps for each bucket listed in the script that requires remediation.

Example:

Suppose the bucket policy contains a statement allowing public access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}

To remediate, you would remove this statement or modify it to restrict access. For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}

After saving the updated policy, public access to objects in the bucket would be denied.

Ensure that you have appropriate permissions to modify the bucket policy in the AWS Management Console.

Additional Reading: