More Info:
AWS S3 buckets should not be publicly accessible via bucket policies in order to protect against unauthorized access. Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.Risk Level
CriticalAddress
SecurityCompliance Standards
CBP, GDPRTriage and Remediation
Remediation
Using Console
Using Console
- Open the AWS S3 Console.
- Navigate to the specific S3 bucket for which you want to block public access.
- Click on the “Permissions” tab.
- Scroll down to the “Block public access” section.
- Edit the settings to block all public access.
- Save the changes.
- Sign in to the AWS Management Console**.
- Navigate to the S3 service**.
- Select the bucket you want to remediate**.
- Review Bucket Policy**:
- Click on the Permissions tab.
- Click on Bucket Policy.
- Review the JSON policy document displayed.
- Identify Statements Allowing Public Access**:
- Look for statements with
"Effect": "Allow"
and"Principal": "*"
. - These statements grant public access to resources in the bucket.
- Look for statements with
- Modify the Bucket Policy**:
- Remove or modify the identified statements to restrict public access.
- You can remove the entire statement or modify the
Principal
orAction
to limit access. - For example, you can change
"Principal": "*"
to"Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:root"}
to grant access only to the AWS account root user.
- Save Changes**:
- After making modifications, click Save or Apply Changes to save the updated bucket policy.
- Repeat for Other Buckets**:
- Repeat the above steps for each bucket listed in the script that requires remediation.
Example:
Suppose the bucket policy contains a statement allowing public access:Using CLI
Using CLI
YOUR_BUCKET_NAME
with the name of your S3 bucket.Alternate option- Retrieve Bucket Policy**:
BUCKET_NAME
with the name of the bucket you want to remediate.-
Analyze the Bucket Policy**:
- Review the policy stored in the
bucket_policy.json
file to identify any statements allowing public access ("Effect": "Allow"
with"Principal": "*"
).
- Review the policy stored in the
-
Update Bucket Policy**:
- Modify the
bucket_policy.json
file to remove or modify the statements allowing public access.
- Modify the
- Apply Remediated Policy**:
BUCKET_NAME
with the name of the bucket.Example Remediation:
Suppose thebucket_policy.json
file contains a policy allowing public access:bucket_policy.json
file to remove the statement:put-bucket-policy
command.Using Python
Using Python
check_and_remediate_s3_public_access
for each bucket to check and remediate the public access issues in your S3 buckets.Example Usage:
"your_bucket_name"
with the actual name of the bucket you want to check and remediate. Make sure to have appropriate permissions to modify the bucket policy.