Open menu
-->

AWS S3 Bucket Authenticated 'WRITE_ACP' Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Very High (act immediately)

Ensure that your AWS S3 buckets do not allow authenticated AWS accounts or IAM users to modify access control permissions to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE_ACP access to AWS authenticated users can give these the capability to edit permissions and gain full access to the resource. Allowing this type of access is dangerous and can lead to data loss or unexpectedly high S3 charges on your AWS bill as a result of economic denial-of-service attacks.

This rule resolution is part of the Cloud Conformity Security Package

Granting authenticated "WRITE_ACP" access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions in order to view, upload, modify and delete S3 objects within the buckets without restrictions. Cloud Conformity strongly recommends against setting WRITE_ACP (EDIT PERMISSIONS) for the "Any Authenticated AWS User" predefined group in production.

Audit

To determine if your existing S3 buckets allow WRITE_ACP access to AWS authenticated users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Any Authenticated AWS User". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Any Authenticated AWS User" is an AWS predefined group that allows any authenticated AWS user (root or IAM user) to access the S3 bucket. If the bucket ACL configuration does specify the "Any Authenticated AWS User" predefined group with the Edit Permissions (WRITE_ACP) permissions enabled:

'Any Authenticated AWS User' predefined group with the Edit Permissions

the selected S3 bucket is accessible to other AWS accounts and IAM users for ACL permission updates and is rendered as insecure.

05 Repeat steps no. 3 and 4 for each AWS S3 bucket that you want to examine.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions. The following output example returns an S3 bucket named annual-internal-financial-reports

[
    "annual-internal-financial-reports"
]

03 Run get-bucket-acl command (OSX/Linux/UNIX) to return the Access Control Policy (ACP) for selected S3 bucket:

aws s3api get-bucket-acl
	--bucket annual-internal-financial-reports

04 Run The command output should display the bucket policy document which contains the AWS users and groups that have access to the bucket and their level of permissions. If the Grantee group URI is equal to “http://acs.amazonaws.com/groups/global/AuthenticatedUsers” (Any Authenticated AWS User) and the permission associated with the grantee is WRITE_ACP, the selected S3 bucket is accessible to other AWS accounts and IAM users accessible for ACL permission updates, hence insecure. The following example displays an S3 bucket ACP that allows WRITE_ACP (EDIT PERMISSIONS) access to any AWS user that can send valid signed requests to modify the resource ACL configuration:

{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "554E3e58089ec3bd00296f84056525d78415fd5e56dcfda3f8309358e9984466"
    },
    "Grants": [
        {
           "Grantee": {
               "Type": "Group",
               "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
           },
           "Permission": "WRITE_ACP"
        }
    ]
}

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine available in your AWS account.

Remediation / Resolution

To remove authenticated WRITE_ACP access for your S3 buckets, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Any Authenticated AWS User".

05 Uncheck the Edit Permissions (WRITE_ACP) permission applied to "Any Authenticated AWS User":

Uncheck the Edit Permissions (WRITE_ACP) permission applied to 'Any Authenticated AWS User'

or delete the predefined group using the x button next to the group settings:

delete the predefined group using the x button next to the group settings

06 Click Save to apply the new ACL configuration and remove the bucket authenticated WRITE_ACP (EDIT PERMISSIONS) access.

07 Repeat steps no. 3 – 6 for each authenticated “WRITE_ACP” accessible S3 bucket available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets available in your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each existing S3 bucket. The following output example returns one S3 bucket named annual-internal-financial-reports:

[
    "annual-internal-financial-reports"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) using the bucket name as command parameter, to update permissions and remove the authenticated WRITE_ACP access for the selected S3 bucket by applying the private predefined S3 Access Control List (if successful, the command should not return any output):

aws s3api put-bucket-acl
	--bucket annual-internal-financial-reports
	--acl private

04 Repeat step no. 3 for each authenticated “WRITE_ACP” accessible S3 bucket within your AWS account.

References

Publication date May 14, 2016