More Info:

AWS S3 buckets should not be publicly accessible via bucket policies in order to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.

Risk Level

Critical

Address

Security

Compliance Standards

CBP, GDPR

Triage and Remediation

Remediation

Using Console

  1. Open the AWS S3 Console.
  2. Navigate to the specific S3 bucket for which you want to block public access.
  3. Click on the “Permissions” tab.
  4. Scroll down to the “Block public access” section.
  5. Edit the settings to block all public access.
  6. Save the changes.
Alternate option
  1. Sign in to the AWS Management Console**.
  2. Navigate to the S3 service**.
  3. Select the bucket you want to remediate**.
  4. Review Bucket Policy**:
    • Click on the Permissions tab.
    • Click on Bucket Policy.
    • Review the JSON policy document displayed.
  5. Identify Statements Allowing Public Access**:
    • Look for statements with "Effect": "Allow" and "Principal": "*".
    • These statements grant public access to resources in the bucket.
  6. Modify the Bucket Policy**:
    • Remove or modify the identified statements to restrict public access.
    • You can remove the entire statement or modify the Principal or Action to limit access.
    • For example, you can change "Principal": "*" to "Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:root"} to grant access only to the AWS account root user.
  7. Save Changes**:
    • After making modifications, click Save or Apply Changes to save the updated bucket policy.
  8. Repeat for Other Buckets**:
    • Repeat the above steps for each bucket listed in the script that requires remediation.

Example:

Suppose the bucket policy contains a statement allowing public access:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}
To remediate, you would remove this statement or modify it to restrict access. For example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
        }
    ]
}
After saving the updated policy, public access to objects in the bucket would be denied.Ensure that you have appropriate permissions to modify the bucket policy in the AWS Management Console.

# Run the following AWS CLI command to enable block public access for an S3 bucket
aws s3api put-public-access-block --bucket YOUR_BUCKET_NAME --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Replace YOUR_BUCKET_NAME with the name of your S3 bucket.Alternate option
  1. Retrieve Bucket Policy**:
aws s3api get-bucket-policy --bucket BUCKET_NAME > bucket_policy.json
Replace BUCKET_NAME with the name of the bucket you want to remediate.
  1. Analyze the Bucket Policy**:
    • Review the policy stored in the bucket_policy.json file to identify any statements allowing public access ("Effect": "Allow" with "Principal": "*").
  2. Update Bucket Policy**:
    • Modify the bucket_policy.json file to remove or modify the statements allowing public access.
  3. Apply Remediated Policy**: 
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://bucket_policy.json
Replace BUCKET_NAME with the name of the bucket.

Example Remediation:

Suppose the bucket_policy.json file contains a policy allowing public access:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}
You want to remediate it by removing the statement. Modify the bucket_policy.json file to remove the statement:
{
    "Version": "2012-10-17",
    "Statement": []
}
Then, apply the remediated policy to the bucket:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://bucket_policy.json
This will remove all statements from the bucket policy, effectively revoking public access.Ensure that you have appropriate IAM permissions to modify the bucket policy using the put-bucket-policy command.
import boto3

def remediate_s3_public_access_via_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
    # Create an S3 client
    s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)

    # Block public access configuration
    public_access_block_config = {
        'BlockPublicAcls': True,
        'IgnorePublicAcls': True,
        'BlockPublicPolicy': True,
        'RestrictPublicBuckets': True
    }

    # Apply public access block configuration to the bucket
    s3_client.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration=public_access_block_config
    )

    print(f"Public access blocked for S3 bucket: {bucket_name}")

Alternate option

```python
import boto3
import json

def check_and_remediate_s3_public_access(bucket_name):
    # Initialize S3 client
    s3_client = boto3.client('s3')

    # Get Bucket Policy
    try:
        response = s3_client.get_bucket_policy(Bucket=bucket_name)
        bucket_policy = response['Policy']
        statements = json.loads(bucket_policy).get('Statement', [])

        # Check if there are any statements allowing public access
        for statement in statements:
            effect = statement.get('Effect', '')
            principal = statement.get('Principal', {})
            aws_principal = principal.get('AWS', '')
            if effect == 'Allow' and (principal == '*' or aws_principal == '*'):
                print(f"Public access found in bucket policy for {bucket_name}. Remediate the policy.")
                # Add remediation steps here, such as removing the statement or updating policy

        # If no public access statements found, bucket is compliant
        print(f"No public access found in bucket policy for {bucket_name}.")
    except s3_client.exceptions.NoSuchBucketPolicy:
        print(f"No bucket policy found for {bucket_name}.")
This script checks for public access statements in the bucket policy and prints a message if any are found. For remediation, you would need to implement steps to modify the bucket policy accordingly, such as removing the statements allowing public access or updating the policy to restrict public access.You can call this function check_and_remediate_s3_public_access for each bucket to check and remediate the public access issues in your S3 buckets.

Example Usage:

# Example usage
check_and_remediate_s3_public_access("your_bucket_name")
Replace "your_bucket_name" with the actual name of the bucket you want to check and remediate. Make sure to have appropriate permissions to modify the bucket policy.

Example usage

bucket_name = ‘YOUR_BUCKET_NAME’ aws_access_key_id = ‘YOUR_ACCESS_KEY’ aws_secret_access_key = ‘YOUR_SECRET_KEY’ region = ‘us-east-1’ # Replace with your desired regionremediate_s3_public_access_via_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)

Replace `YOUR_BUCKET_NAME`, `YOUR_ACCESS_KEY`, `YOUR_SECRET_KEY`, and update the `region` with your desired region in the Python script. Run the script, and it will block public access for the specified S3 bucket. Make sure to install the `boto3` library if you haven't already:

```bash
pip install boto3
Note: Ensure that you have the necessary permissions to make these changes, and exercise caution when applying changes to production environments.

Additional Reading: