Open menu
-->

AWS S3 Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that all your AWS S3 buckets are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).

This rule resolution is part of the Cloud Conformity Security Package

Allowing untrustworthy cross account access to your S3 buckets via bucket policies can lead to unauthorized actions such as viewing, uploading, modifying or deleting S3 objects. To prevent S3 data exposure, data loss and/or unexpected charges on your AWS bill, you need to grant access only to trusted entities by implementing the appropriate access policies recommended in this conformity rule.

Audit

To determine if there are any Amazon S3 buckets that allow unknown cross account access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

S3 dashboard top right menu

04 Inside the Properties tab, click Permissions to expand the bucket permissions configuration panel.

05 Now click Edit bucket policy to access the bucket policy currently in use.

06 In the Bucket Policy Editor dialog box, identify the AWS account ID e.g.

the AWS account ID

or the AWS account ARN e.g.

the AWS account ARN

defined as value(s) for the access policy Principal element.

You can disregard accounts owned by AWS where ELBs reside. More details can be found in the AWS documentation.

07 Sign in to your Cloud Conformity console, access the S3 Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected S3 bucket is not secured.

08 Repeat steps no. 3 - 7 to verify the access policy of the other S3 buckets available in the current region for unknown cross account access entities (AWS account IDs/ARNs).

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets created within your AWS account:

aws s3api list-buckets
    --query 'Buckets[*].Name'

02 The command output should return the names of the S3 buckets available across all AWS regions:

[
    "webapp-file-backups",
    "webapp-data-repo",
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) to retrieve the bucket policy defined for selected S3 bucket and copy its content into a JSON file named s3-bucket-access-policy.json (the command does not produce an output):

aws s3api get-bucket-policy
    --bucket webapp-file-backups
    --query Policy
    --output text > s3-bucket-access-policy.json

04 Open the s3-bucket-access-policy.json file in your preferred text editor. The policy document extracted with the get-bucket-policy command should look like this:

{
  "Id": "S3Policy1482312318453",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StmtID1482312312267",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::webapp-file-backups/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:root"
        ]
      }
    }
  ]
}

05 Identify the AWS account ID (e.g. 123456789012) or account ARN (e.g. arn:aws:iam::123456789012:root) defined as value(s) for the Principal element listed in your access policy returned at the previous step.

You can disregard accounts owned by AWS where ELBs reside. More details can be found in the AWS documentation.

06 Log in to your Cloud Conformity console, access the S3 Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected S3 bucket is not secured.

07 Repeat steps no. 3 - 6 to verify the access policy of the other S3 buckets available in the current region for unknown cross account access entities.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon S3 buckets policy in order to allow cross account access only from trusted entities, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to reconfigure (see Audit section part I to identify the right AWS resource).

04 Click the Properties tab from the S3 dashboard top right menu:

S3 dashboard top right menu

05 Inside the Properties tab, click Permissions to expand the bucket permissions configuration panel.

06 Now click Edit bucket policy to update the current access policy by replacing the existing (untrusted) AWS identifier(s) available as the Principal element value(s) with the trusted one(s), defined prior to running this rule on your Cloud Conformity console.

07 Click Save to apply the policy changes.

08 Repeat steps no. 3 - 7 to update the access policy for other S3 buckets available in the current region in order to block requests from any unauthorized AWS accounts.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, edit your Amazon S3 bucket access policy and replace the untrusted AWS identifier(s) with the trusted one(s) then save the policy in a JSON document (e.g. s3-cross-account-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example contains an S3 policy document that allows another (friendly) AWS account identified by the ARN "arn:aws:iam::401639253281:root" to perform any actions on the objects stored within an S3 bucket identified by the ARN "arn:aws:s3:::webapp-file-backups":

{
  "Id": "S3Policy1482312239565",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StmtID1482312238163",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::webapp-file-backups/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::401639253281:root"
        ]
      }
    }
  ]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure (see Audit section part II to identify the right bucket) to replace the existing access policy with the one defined at the previous step, i.e. s3-cross-account-access-policy.json, (the command does not produce an output):

aws s3api put-bucket-policy
    --bucket webapp-file-backups
    --policy file://s3-cross-account-access-policy.json

03 Repeat step no. 1 and 2 to update the access policy for other S3 buckets available in the current region in order to block requests from unauthorized cross account entities.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date May 25, 2016