Ensure that all your AWS S3 buckets are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
Allowing untrustworthy cross account access to your S3 buckets via bucket policies can lead to unauthorized actions such as viewing, uploading, modifying or deleting S3 objects. To prevent S3 data exposure, data loss and/or unexpected charges on your AWS bill, you need to grant access only to trusted entities by implementing the appropriate access policies recommended in this conformity rule.
To determine if there are any Amazon S3 buckets that allow unknown cross account access, perform the following:
To update your Amazon S3 buckets policy in order to allow cross account access only from trusted entities, perform the following: