More Info:

AWS S3 buckets should not be granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or AWS IAM users) in order to prevent unauthorized access. Exposing your S3 buckets to AWS signed accounts or users can lead to data leaks, data loss and unexpected charges for the S3 service.

Risk Level

High

Address

Security

Compliance Standards

CBP, AWSWAF, PCIDSS, NIST

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the issue of an S3 Bucket allowing FULL_CONTROL access to Authenticated Users in AWS using the AWS console:

  1. Login to your AWS account and go to the S3 console.
  2. Select the bucket for which you want to remediate the issue.
  3. Click on the “Permissions” tab in the top navigation bar.
  4. Under the “Access control list (ACL)” section, locate the “Authenticated Users” group and select it.
  5. Click on the “Actions” button and select “Edit bucket policy”.
  6. In the bucket policy editor, remove the “FULL_CONTROL” permission from the “Authenticated Users” group.
  7. Click on the “Save changes” button to save the updated bucket policy.

After following these steps, the S3 bucket will no longer allow FULL_CONTROL access to Authenticated Users.

Using CLI

To remediate the misconfiguration in AWS, you can follow the below steps using AWS CLI:

  1. Open the AWS CLI and run the following command to list all the S3 buckets in your account:

    aws s3api list-buckets

  2. Identify the S3 bucket that is allowing FULL_CONTROL access to authenticated users.

  3. Run the following command to remove the FULL_CONTROL access for authenticated users:

    aws s3api put-bucket-acl --bucket <bucket-name> --grant-full-control id=uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers

    Replace <bucket-name> with the name of the S3 bucket that you want to remediate.

  4. Verify that the FULL_CONTROL access for authenticated users has been removed by running the following command:

    aws s3api get-bucket-acl --bucket <bucket-name>

    This command will display the access control list (ACL) for the specified S3 bucket. Verify that the authenticated users no longer have FULL_CONTROL access.

  5. Repeat the above steps for any other S3 buckets that are allowing FULL_CONTROL access to authenticated users.

By following the above steps, you can remediate the misconfiguration in AWS where S3 bucket is allowing FULL_CONTROL access to authenticated users.

Using Python

To remediate the misconfiguration “S3 Bucket Should Not Allow FULL_CONTROL Access to Authenticated Users” in AWS using Python, you can follow these steps:

  1. First, you need to identify the S3 buckets that have full control access to authenticated users. You can use the AWS SDK for Python (Boto3) to list all the S3 buckets and their access control lists (ACLs).
import boto3

s3 = boto3.client('s3')

# List all the S3 buckets
buckets = s3.list_buckets()

# Iterate over the buckets and their ACLs
for bucket in buckets['Buckets']:
    bucket_name = bucket['Name']
    acl = s3.get_bucket_acl(Bucket=bucket_name)
    print(f"Bucket {bucket_name} ACL: {acl}")
  1. Once you have identified the buckets with full control access to authenticated users, you can update their ACLs to remove the FULL_CONTROL permission for authenticated users. You can use the put_bucket_acl method of the S3 client to update the ACL.
import boto3

s3 = boto3.client('s3')

# Update the ACL for the bucket to remove FULL_CONTROL permission for authenticated users
s3.put_bucket_acl(
    Bucket='my-bucket',
    GrantFullControl='',
    GrantRead='',
    GrantWrite='',
    GrantReadACP='',
    GrantWriteACP='',
    AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'READ'
            },
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'WRITE'
            },
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'READ_ACP'
            },
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'WRITE_ACP'
            }
        ],
        'Owner': {
            'DisplayName': 'string',
            'ID': 'string'
        }
    }
)

This will remove the FULL_CONTROL permission for authenticated users from the ACL of the specified bucket. You can repeat this step for all the buckets that have full control access to authenticated users.

Additional Reading: