> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 Bucket Should Not Allow Public WRITE_ACP Access

### More Info:

AWS S3 buckets should not allow public WRITE\_ACP access. Granting public "WRITE\_ACP" access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions.

### Risk Level

High

### Address

Security

### Compliance Standards

NIST, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "S3 Bucket Should Not Allow Public WRITE\_ACP Access" for AWS using the AWS console, please follow the below steps:

        1. Log in to your AWS console.
        2. Navigate to S3 service.
        3. Select the bucket that has public WRITE\_ACP access.
        4. Click on the "Permissions" tab.
        5. Scroll down to "Access Control List (ACL)" and click on it.
        6. Look for any entries that have the "Grantee" set to "All Users" or "Authenticated Users".
        7. If you find any such entries, select them and click on the "Revoke" button to remove the public WRITE\_ACP access.
        8. Click on the "Save" button to save the changes.

        Once you have completed the above steps, your S3 bucket will no longer have public WRITE\_ACP access and will be remediated.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "S3 Bucket Should Not Allow Public WRITE\_ACP Access" for AWS using AWS CLI, you can follow these steps:

        1. Open the AWS CLI on your local machine or EC2 instance.

        2. Identify the S3 bucket that is allowing public WRITE\_ACP access. You can use the following command to list all the S3 buckets in your AWS account:

        ```
        aws s3api list-buckets
        ```

        3. Once you have identified the bucket, you can use the following command to update the bucket policy to remove public WRITE\_ACP access:

        ```
        aws s3api put-bucket-acl --bucket BUCKET_NAME --acl private
        ```

        Replace BUCKET\_NAME with the name of the S3 bucket that you want to update.

        4. Verify that the bucket policy has been updated successfully by running the following command:

        ```
        aws s3api get-bucket-acl --bucket BUCKET_NAME
        ```

        Replace BUCKET\_NAME with the name of the S3 bucket that you updated in step 3.

        5. Check if the misconfiguration has been remediated by running a security scan or audit on your AWS account.

        By following these steps, you can remediate the misconfiguration "S3 Bucket Should Not Allow Public WRITE\_ACP Access" for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the issue of S3 Bucket allowing public WRITE\_ACP access in AWS using Python, you can follow the below steps:

        1. Install the AWS SDK for Python (boto3) using the following command:

        ```
        pip install boto3
        ```

        2. Create a boto3 S3 client object using the following code:

        ```
        import boto3
        s3 = boto3.client('s3')
        ```

        3. Get the bucket policy using the `get_bucket_policy` method of the S3 client object:

        ```
        bucket_name = 'your-bucket-name'
        bucket_policy = s3.get_bucket_policy(Bucket=bucket_name)
        ```

        4. Check if the bucket policy allows public WRITE\_ACP access. You can use the following code to check this:

        ```
        import json
        bucket_policy_json = json.loads(bucket_policy['Policy'])
        if 'Statement' in bucket_policy_json:
            for statement in bucket_policy_json['Statement']:
                if 'Effect' in statement and statement['Effect'] == 'Allow':
                    if 'Principal' in statement and statement['Principal'] == '*':
                        if 'Action' in statement and 's3:PutBucketAcl' in statement['Action']:
                            print('Public WRITE_ACP access is allowed')
        ```

        5. If the bucket policy allows public WRITE\_ACP access, you can remove it using the `put_bucket_acl` method of the S3 client object. You can use the following code to remove the public WRITE\_ACP access:

        ```
        response = s3.put_bucket_acl(
            Bucket=bucket_name,
            ACL='private'
        )
        ```

        This will set the bucket ACL to private and remove the public WRITE\_ACP access.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html)
