> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 Bucket Should Not Allow Public FULL_CONTROL Access

### More Info:

There should not be any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access.

### Risk Level

Critical

### Address

Security

### Compliance Standards

CBP, HITRUST, AWSWAF, SOC2, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the S3 bucket misconfiguration in AWS:

        1. Log in to the AWS Management Console and navigate to the S3 service.

        2. Click on the name of the bucket that has the public FULL\_CONTROL access.

        3. Click on the "Permissions" tab and then select "Bucket Policy".

        4. Review the policy to see if there is any statement that grants public FULL\_CONTROL access.

        5. If there is any statement that grants public FULL\_CONTROL access, remove it from the policy by editing the JSON policy document.

        6. Alternatively, you can also revoke the public FULL\_CONTROL access by selecting the "Access Control List" (ACL) tab and then removing the "Everyone" grantee with FULL\_CONTROL access.

        7. Once you have made the necessary changes, click on the "Save" button to save the updated policy or ACL.

        8. Finally, test the bucket to ensure that the public FULL\_CONTROL access has been remediated.

        By following the above steps, you can remediate the S3 bucket misconfiguration to ensure that it does not allow public FULL\_CONTROL access.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate this misconfiguration, you can follow these steps using AWS CLI:

        1. Open your terminal and install the AWS CLI if you haven't installed it already.

        2. Run the following command to list all the S3 buckets in your account:

           ```
           aws s3api list-buckets
           ```

        3. Identify the bucket that has public FULL\_CONTROL access.

        4. Run the following command to remove the public FULL\_CONTROL access from the bucket:

           ```
           aws s3api put-bucket-acl --bucket <bucket-name> --acl private
           ```

           Replace `<bucket-name>` with the name of the bucket that you identified in step 3.

        5. Verify that the public FULL\_CONTROL access has been removed by running the following command:

           ```
           aws s3api get-bucket-acl --bucket <bucket-name>
           ```

           Replace `<bucket-name>` with the name of the bucket that you identified in step 3. The output should show that there are no grants with the permission "FULL\_CONTROL" for "AllUsers" or "AuthenticatedUsers".

        6. Repeat steps 3-5 for any other buckets that have public FULL\_CONTROL access.

        By following these steps, you have successfully remediated the misconfiguration of allowing public FULL\_CONTROL access to an S3 bucket in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of an S3 bucket allowing public FULL\_CONTROL access, you can follow these steps:

        1. Open the AWS Management Console and navigate to the S3 service.

        2. Select the bucket that you want to remediate.

        3. Click on the "Permissions" tab and then click on the "Access control list (ACL)" option.

        4. Locate the "Grantee" that is set to "Everyone" and has "FULL\_CONTROL" permissions.

        5. Remove the "Grantee" by clicking on the "x" icon next to it.

        6. Click on the "Save" button to save the changes.

        To automate this process using Python, you can use the AWS SDK for Python (Boto3) and follow these steps:

        1. Install the Boto3 library by running the following command in your terminal:

        ```
        pip install boto3
        ```

        2. Create a new Python file and import the necessary libraries:

        ```python theme={null}
        import boto3
        ```

        3. Create a new S3 client:

        ```python theme={null}
        s3 = boto3.client('s3')
        ```

        4. Retrieve the ACL of the bucket:

        ```python theme={null}
        bucket_acl = s3.get_bucket_acl(Bucket='your-bucket-name')
        ```

        5. Loop through the ACL and remove any grant that has "FULL\_CONTROL" permissions for the "AllUsers" group:

        ```python theme={null}
        for grant in bucket_acl['Grants']:
            if grant['Grantee']['Type'] == 'Group' and grant['Grantee']['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and grant['Permission'] == 'FULL_CONTROL':
                s3.put_bucket_acl(Bucket='your-bucket-name', AccessControlPolicy={'Grants': [g for g in bucket_acl['Grants'] if g != grant], 'Owner': bucket_acl['Owner']})
        ```

        6. Run the Python script and check the S3 bucket to confirm that the public FULL\_CONTROL access has been removed.

        Note: Make sure to replace "your-bucket-name" with the name of your actual S3 bucket.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)
