S3 Bucket Should Not Allow Public FULL_CONTROL Access
More Info:
There should not be any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.
Risk Level
Critical
Address
Security
Compliance Standards
CBP, HITRUST, AWSWAF, SOC2, NISTCSF
Remediation
Using Console
Sure, here are the step-by-step instructions to remediate the S3 bucket misconfiguration in AWS:
-
Log in to the AWS Management Console and navigate to the S3 service.
-
Click on the name of the bucket that has the public FULL_CONTROL access.
-
Click on the “Permissions” tab and then select “Bucket Policy”.
-
Review the policy to see if there is any statement that grants public FULL_CONTROL access.
-
If there is any statement that grants public FULL_CONTROL access, remove it from the policy by editing the JSON policy document.
-
Alternatively, you can also revoke the public FULL_CONTROL access by selecting the “Access Control List” (ACL) tab and then removing the “Everyone” grantee with FULL_CONTROL access.
-
Once you have made the necessary changes, click on the “Save” button to save the updated policy or ACL.
-
Finally, test the bucket to ensure that the public FULL_CONTROL access has been remediated.
By following the above steps, you can remediate the S3 bucket misconfiguration to ensure that it does not allow public FULL_CONTROL access.
Using CLI
To remediate this misconfiguration, you can follow these steps using AWS CLI:
-
Open your terminal and install the AWS CLI if you haven’t installed it already.
-
Run the following command to list all the S3 buckets in your account:
aws s3api list-buckets -
Identify the bucket that has public FULL_CONTROL access.
-
Run the following command to remove the public FULL_CONTROL access from the bucket:
aws s3api put-bucket-acl --bucket <bucket-name> --acl privateReplace
<bucket-name>with the name of the bucket that you identified in step 3. -
Verify that the public FULL_CONTROL access has been removed by running the following command:
aws s3api get-bucket-acl --bucket <bucket-name>Replace
<bucket-name>with the name of the bucket that you identified in step 3. The output should show that there are no grants with the permission “FULL_CONTROL” for “AllUsers” or “AuthenticatedUsers”. -
Repeat steps 3-5 for any other buckets that have public FULL_CONTROL access.
By following these steps, you have successfully remediated the misconfiguration of allowing public FULL_CONTROL access to an S3 bucket in AWS.
Using Python
To remediate the misconfiguration of an S3 bucket allowing public FULL_CONTROL access, you can follow these steps:
-
Open the AWS Management Console and navigate to the S3 service.
-
Select the bucket that you want to remediate.
-
Click on the “Permissions” tab and then click on the “Access control list (ACL)” option.
-
Locate the “Grantee” that is set to “Everyone” and has “FULL_CONTROL” permissions.
-
Remove the “Grantee” by clicking on the “x” icon next to it.
-
Click on the “Save” button to save the changes.
To automate this process using Python, you can use the AWS SDK for Python (Boto3) and follow these steps:
- Install the Boto3 library by running the following command in your terminal:
pip install boto3
- Create a new Python file and import the necessary libraries:
import boto3
- Create a new S3 client:
s3 = boto3.client('s3')
- Retrieve the ACL of the bucket:
bucket_acl = s3.get_bucket_acl(Bucket='your-bucket-name')
- Loop through the ACL and remove any grant that has “FULL_CONTROL” permissions for the “AllUsers” group:
for grant in bucket_acl['Grants']:
if grant['Grantee']['Type'] == 'Group' and grant['Grantee']['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and grant['Permission'] == 'FULL_CONTROL':
s3.put_bucket_acl(Bucket='your-bucket-name', AccessControlPolicy={'Grants': [g for g in bucket_acl['Grants'] if g != grant], 'Owner': bucket_acl['Owner']})
- Run the Python script and check the S3 bucket to confirm that the public FULL_CONTROL access has been removed.
Note: Make sure to replace “your-bucket-name” with the name of your actual S3 bucket.