S3 Bucket Should Not Allow WRITE Access to Authenticated Users
More Info:
S3 buckets should not allow WRITE access to AWS authenticated users through S3 ACLs.
Risk Level
Medium
Address
Security
Compliance Standards
CBP, HIPAA
Remediation
Using Console
Sure, here are the step by step instructions to remediate the S3 Bucket Should Not Allow WRITE Access to Authenticated Users misconfiguration for AWS using AWS console:
- Log in to your AWS Management Console.
- Go to the S3 service.
- Select the bucket that is misconfigured.
- Click on the “Permissions” tab.
- Click on “Bucket Policy”.
- Remove any policies that allow write access to authenticated users.
- You can also add a policy that explicitly denies write access to authenticated users.
Here is an example of a policy that denies write access to authenticated users:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAuthenticatedUsers",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalType": "AuthenticatedUser"
}
}
}
]
}
- Click on “Save” to apply the changes.
That’s it! You have now successfully remediated the S3 Bucket Should Not Allow WRITE Access to Authenticated Users misconfiguration for AWS using AWS console.
Using CLI
To remediate the issue of S3 bucket allowing WRITE access to authenticated users in AWS using AWS CLI, follow the below steps:
-
Open the AWS CLI on your local machine and run the following command to list all the S3 buckets in your AWS account:
aws s3api list-buckets -
Identify the S3 bucket that has WRITE access to authenticated users.
-
Run the following command to remove WRITE access for authenticated users on the identified S3 bucket:
aws s3api put-bucket-acl --bucket bucket-name --grant-write "uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers"Replace
bucket-namewith the name of the identified S3 bucket. -
Run the following command to verify that authenticated users no longer have WRITE access to the S3 bucket:
aws s3api get-bucket-acl --bucket bucket-nameReplace
bucket-namewith the name of the identified S3 bucket. -
Verify that the remediation has worked successfully by attempting to write to the S3 bucket using an authenticated user. The attempt should now fail.
By following the above steps, you have successfully remediated the issue of S3 Bucket allowing WRITE access to Authenticated Users in AWS using AWS CLI.
Using Python
To remediate the misconfiguration “S3 Bucket Should Not Allow WRITE Access to Authenticated Users” in AWS using Python, you can follow these steps:
- First, you need to identify the S3 bucket that has WRITE access to authenticated users. You can use the following Python code to list all the S3 buckets and their ACLs:
import boto3
# Create an S3 client
s3 = boto3.client('s3')
# List all the S3 buckets
buckets = s3.list_buckets()
# Iterate through each bucket and print its ACL
for bucket in buckets['Buckets']:
acl = s3.get_bucket_acl(Bucket=bucket['Name'])
print(f"Bucket {bucket['Name']} ACL: {acl}")
- Once you have identified the bucket with WRITE access to authenticated users, you can update its ACL to remove the WRITE access. You can use the following Python code to remove WRITE access from authenticated users:
import boto3
# Create an S3 client
s3 = boto3.client('s3')
# Set the bucket name and grantee type
bucket_name = 'your-bucket-name'
grantee_type = 'AuthenticatedUsers'
# Get the bucket ACL
acl = s3.get_bucket_acl(Bucket=bucket_name)
# Iterate through each grant and remove WRITE access from authenticated users
for grant in acl['Grants']:
if grant['Grantee']['Type'] == grantee_type:
acl['Grants'].remove(grant)
# Set the updated ACL for the bucket
s3.put_bucket_acl(Bucket=bucket_name, AccessControlPolicy=acl)
- Run the above code to remove WRITE access from authenticated users for the identified S3 bucket.
Note: Make sure you have the necessary permissions to update the ACL of the S3 bucket.