S3 Buckets Should Not Allow Public Writes
More Info:
AWS S3 buckets should not be publicly accessible for WRITE actions via S3 access control lists (ACLs), in order to protect your S3 data from unauthorized users.
Risk Level
Critical
Address
Security
Compliance Standards
HIPAA, PCIDSS, NIST
Remediation
Using Console
Sure, here are the step-by-step instructions to remediate the misconfiguration in AWS:
- Log in to the AWS Management Console.
- Navigate to the S3 service.
- Click on the name of the bucket that you want to remediate.
- Click on the “Permissions” tab.
- Under the “Block public access (bucket settings)” section, click on “Edit”.
- Uncheck the box next to “Block all public access”.
- Check the box next to “Block public access to buckets and objects granted through new public bucket policies”.
- Check the box next to “Block public and cross-account access to buckets and objects through any public bucket policies”.
- Click on “Save changes”.
After following these steps, your S3 bucket will no longer allow public writes.
Using CLI
The following steps can be taken to remediate the S3 bucket public write issue in AWS using AWS CLI:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the S3 buckets in your AWS account:
aws s3 ls
-
Identify the S3 bucket that has public write access.
-
Run the following command to remove public write access from the S3 bucket:
aws s3api put-bucket-acl --bucket BUCKET-NAME --acl private
Replace BUCKET-NAME with the name of the S3 bucket that has public write access.
- Run the following command to verify that the public write access has been removed from the S3 bucket:
aws s3api get-bucket-acl --bucket BUCKET-NAME
Replace BUCKET-NAME with the name of the S3 bucket that has public write access.
- If the above command returns the following output, then public write access has been successfully removed from the S3 bucket:
{
"Grants": [
{
"Grantee": {
"Type": "CanonicalUser",
"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
"Permission": "FULL_CONTROL"
}
],
"Owner": {
"DisplayName": "owner-name",
"ID": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
Note: It is important to regularly audit the S3 buckets in your AWS account to ensure that they are not publicly accessible and have the appropriate access controls in place.
Using Python
To remediate the misconfiguration “S3 Buckets Should Not Allow Public Writes” in AWS, you can use the following steps in Python:
-
Install the AWS SDK for Python (Boto3) using the command
pip install boto3. -
Create an S3 client using the following code:
import boto3
s3 = boto3.client('s3')
- Get a list of all S3 buckets in your AWS account using the
list_buckets()method:
response = s3.list_buckets()
for bucket in response['Buckets']:
bucket_name = bucket['Name']
- For each bucket, check if it allows public write access using the
get_bucket_acl()method:
acl = s3.get_bucket_acl(Bucket=bucket_name)
for grant in acl['Grants']:
grantee = grant['Grantee']
permission = grant['Permission']
if 'URI' in grantee and grantee['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and permission == 'WRITE':
# Bucket allows public write access
- If the bucket allows public write access, remove the permission using the
put_bucket_acl()method:
s3.put_bucket_acl(
Bucket=bucket_name,
ACL='private'
)
The final code to remediate the misconfiguration “S3 Buckets Should Not Allow Public Writes” in AWS using Python will look something like this:
import boto3
s3 = boto3.client('s3')
response = s3.list_buckets()
for bucket in response['Buckets']:
bucket_name = bucket['Name']
acl = s3.get_bucket_acl(Bucket=bucket_name)
for grant in acl['Grants']:
grantee = grant['Grantee']
permission = grant['Permission']
if 'URI' in grantee and grantee['URI'] == 'http://acs.amazonaws.com/groups/global/AllUsers' and permission == 'WRITE':
s3.put_bucket_acl(
Bucket=bucket_name,
ACL='private'
)