Ensure that your AWS S3 buckets cannot be accessed for WRITE actions by AWS authenticated accounts or IAM users in order to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE (UPLOAD/DELETE) access to any AWS authenticated users can provide them the capability to add, delete and replace objects within the bucket without restrictions.
Granting authenticated "WRITE" access to your AWS S3 buckets can allow unauthorized users to upload, modify and delete S3 objects. Using this overly permissive ACL configuration can lead to S3 data loss or unintended charges on your AWS bill. Cloud Conformity strongly recommends against setting WRITE (UPLOAD/DELETE) permission for the "Any Authenticated AWS User" predefined group in production.
To determine if your S3 buckets allow WRITE access to AWS authenticated users, perform the following:
To remove authenticated WRITE access for your S3 buckets, you need to perform the following: