> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 Bucket Should Not Allow READ_ACP Access For Authenticated Users

### More Info:

AWS S3 buckets should not allow READ\_ACP access to AWS authenticated users using ACLs in order to protect against unauthorized access.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CBP, PCIDSS, NIST

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Here are the step by step instructions to remediate the S3 Bucket misconfiguration for AWS using AWS Console:

        1. Log in to your AWS Management Console.

        2. Go to the S3 service dashboard.

        3. Select the bucket that you want to remediate.

        4. Click on the "Permissions" tab.

        5. Scroll down to the "Access Control List (ACL)" section.

        6. Click on the "Edit" button next to the "Authenticated Users" group.

        7. Uncheck the "Read" permission for the "Access Control Policy (ACP)".

        8. Click on the "Save" button to apply the changes.

        9. Verify that the "Read" permission for the "Access Control Policy (ACP)" is no longer enabled for the "Authenticated Users" group.

        10. Repeat the above steps for any other S3 buckets that may have this misconfiguration.

        By following these steps, you will have successfully remediated the S3 Bucket misconfiguration of not allowing READ\_ACP access for authenticated users in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the issue of S3 bucket allowing READ\_ACP access for authenticated users in AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI on your local machine and run the following command to list all the S3 buckets in your AWS account:

        ```
        aws s3 ls
        ```

        2. Identify the S3 bucket that has READ\_ACP access for authenticated users.

        3. Run the following command to revoke READ\_ACP access for authenticated users:

        ```
        aws s3api put-bucket-acl --bucket <bucket-name> --grant-read-acp uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers --acl private
        ```

        Note: Replace `<bucket-name>` with the name of the S3 bucket that needs to be remediated.

        4. Verify that the remediation is successful by running the following command:

        ```
        aws s3api get-bucket-acl --bucket <bucket-name>
        ```

        Note: Replace `<bucket-name>` with the name of the S3 bucket that was remediated.

        This command should return the updated ACL of the S3 bucket, which should now have private access for READ\_ACP.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "S3 Bucket Should Not Allow READ\_ACP Access For Authenticated Users" in AWS using Python, you can follow the below steps:

        1. Open the AWS Management Console and navigate to the S3 service.

        2. Select the S3 bucket that you want to remediate.

        3. Click on the Permissions tab and select the Access control list (ACL) option.

        4. Under the "Grantee" column, search for the "Authenticated Users" group.

        5. In the "Permission" column, deselect the "READ\_ACP" option for the "Authenticated Users" group.

        6. Click on the Save button to apply the changes.

        To automate this process using Python, you can use the boto3 library, which is the AWS SDK for Python. Below is the code snippet to remediate the misconfiguration using Python:

        ```
        import boto3

        s3 = boto3.resource('s3')

        bucket_name = 'your_bucket_name'

        bucket_acl = s3.BucketAcl(bucket_name)

        # Revoke READ_ACP permission for Authenticated Users group
        response = bucket_acl.put(
            AccessControlPolicy={
                'Grants': [
                    {
                        'Grantee': {
                            'Type': 'Group',
                            'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                        },
                        'Permission': 'WRITE_ACP'
                    }
                ],
                'Owner': {
                    'DisplayName': 'Your Name',
                    'ID': 'your_aws_account_id'
                }
            }
        )

        print(response)
        ```

        Note: Replace the `bucket_name` variable with the name of your S3 bucket. Also, make sure that you have the necessary AWS credentials configured to run this script.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)
