> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 Bucket Should Not Allow WRITE_ACP Access to Authenticated Users

### More Info:

AWS S3 buckets should not allow WRITE\_ACP access to AWS authenticated users using ACLs. Granting authenticated "WRITE\_ACP" access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions in order to view, upload, modify and delete S3 objects within the buckets without restrictions.

### Risk Level

High

### Address

Security

### Compliance Standards

CBP, PCIDSS, NIST

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the "S3 Bucket Should Not Allow WRITE\_ACP Access to Authenticated Users" misconfiguration in AWS, you can follow these steps using the AWS console:

        1. Log in to the AWS Management Console.

        2. Navigate to the S3 service.

        3. Click on the name of the bucket that you want to remediate.

        4. Click on the "Permissions" tab.

        5. Click on the "Access control list (ACL)" button.

        6. Under the "Grantee" column, find the row that has "Authenticated Users".

        7. In the "Permission" column, find the "WRITE\_ACP" permission.

        8. Click on the "x" button to remove the "WRITE\_ACP" permission for "Authenticated Users".

        9. Click on the "Save" button to save the changes.

        10. Verify that the "Authenticated Users" group no longer has the "WRITE\_ACP" permission by checking the "Access control list (ACL)" again.

        11. Repeat these steps for any other S3 buckets that have the same misconfiguration.

        Note: You can also use AWS CLI or AWS SDKs to remediate this misconfiguration.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "S3 Bucket Should Not Allow WRITE\_ACP Access to Authenticated Users" for AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to get a list of all S3 buckets in your AWS account:

           ```
           aws s3api list-buckets
           ```

        3. Identify the S3 bucket that has WRITE\_ACP access granted to authenticated users.

        4. Run the following command to revoke WRITE\_ACP access for authenticated users:

           ```
           aws s3api put-bucket-acl --bucket bucket-name --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers --acl private
           ```

           Replace "bucket-name" with the name of the S3 bucket that you want to remediate.

        5. Verify that WRITE\_ACP access for authenticated users has been revoked by running the following command:

           ```
           aws s3api get-bucket-acl --bucket bucket-name
           ```

           Replace "bucket-name" with the name of the S3 bucket that you want to remediate.

        6. Repeat the above steps for all S3 buckets that have WRITE\_ACP access granted to authenticated users.

        By following these steps, you can remediate the misconfiguration "S3 Bucket Should Not Allow WRITE\_ACP Access to Authenticated Users" for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of allowing WRITE\_ACP access to authenticated users in an AWS S3 bucket using Python, follow these steps:

        1. Create an AWS S3 client using the AWS SDK for Python (Boto3).
        2. Get the bucket policy using the `get_bucket_policy()` method of the S3 client.
        3. Parse the JSON policy to identify the statement that allows WRITE\_ACP access to authenticated users.
        4. Remove the identified statement from the policy.
        5. Update the bucket policy using the `put_bucket_policy()` method of the S3 client.

        Here's the Python code to remediate the misconfiguration:

        ```python theme={null}
        import boto3
        import json

        # Create an S3 client
        s3 = boto3.client('s3')

        # Get the bucket policy
        bucket_name = 'your-bucket-name'
        policy = s3.get_bucket_policy(Bucket=bucket_name)

        # Parse the JSON policy
        policy_json = json.loads(policy['Policy'])
        statements = policy_json['Statement']

        # Identify the statement that allows WRITE_ACP access to authenticated users
        for statement in statements:
            if 'Principal' in statement and statement['Principal'] == {'AWS': '*'}:
                if 'Action' in statement and 's3:PutObjectAcl' in statement['Action']:
                    if 'Condition' in statement and 'Bool' in statement['Condition']:
                        if 'aws:SecureTransport' in statement['Condition']['Bool'] and statement['Condition']['Bool']['aws:SecureTransport'] == 'false':
                            # Remove the identified statement from the policy
                            policy_json['Statement'].remove(statement)

        # Update the bucket policy
        s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(policy_json))
        ```

        This code will remove the statement that allows WRITE\_ACP access to authenticated users from the S3 bucket policy.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)
