Logo of Trend Micro

S3 Bucket Authenticated Users 'FULL_CONTROL' Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Very High (act immediately)
Rule ID: S3-010

Ensure that your AWS S3 buckets are not granting FULL_CONTROL access to authenticated users (i.e. signed AWS accounts or AWS IAM users) in order to prevent unauthorized access. An S3 bucket that allows full control access to authenticated users will give any AWS account or IAM user the ability to LIST (READ) objects, UPLOAD/DELETE (WRITE) objects, VIEW (READ_ACP) objects permissions and EDIT (WRITE_ACP) permissions for the objects within the bucket. Cloud Conformity strongly recommends against setting all these permissions for the 'Any Authenticated AWS User' ACL predefined group in production.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Granting authenticated "FULL_CONTROL" access to AWS S3 buckets can allow other AWS accounts or IAM users to view, upload, modify and delete S3 objects without any restrictions. Exposing your S3 buckets to AWS signed accounts or users can lead to data leaks, data loss and unexpected charges for the S3 service.

Audit

To determine if your S3 buckets allow full access to AWS authenticated users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee labeled "Any Authenticated AWS User". A grantee can be an AWS account or an S3 predefined group. The grantee called "Any Authenticated AWS User" is the predefined group that allows any AWS authenticated user to access the S3 resource. If the bucket ACL configuration has the "Any Authenticated AWS User" predefined group with all the permissions enabled, i.e.

Any Authenticated AWS User predefined group with all the permissions enabled

the selected S3 bucket is fully accessible to other AWS accounts and IAM users and is rendered as insecure.

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions. The following output example returns an S3 bucket named annual-internal-financial-reports: 

[
    "annual-internal-financial-reports"
]

03 Run get-bucket-acl command (OSX/Linux/UNIX) to return the access control policy for selected S3 bucket: 

aws s3api get-bucket-acl
	--bucket annual-internal-financial-reports

04 The command output should display the bucket policy document which contains the AWS users and groups that have access to the bucket and their level of permissions. If the Grantee group URI is equal to “http://acs.amazonaws.com/groups/global/AuthenticatedUsers” (Any Authenticated AWS User) and has the READ, WRITE, READ_ACP and WRITE_ACP permissions associated with it, the selected S3 bucket is fully accessible to other AWS users, hence insecure. The following example displays an S3 bucket ACL policy that allows FULL_CONTROL access to any AWS authenticated user: 

{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "824f3e58089ec3bd00296f84056525d78415fd5e56dcfda3f8309358e9989775"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "READ_ACP"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
            },
            "Permission": "WRITE_ACP"
        }
    ]
}

05 Repeat steps no. 3 and 4 for each available S3 bucket that you want to examine.

Remediation / Resolution

To remove authenticated FULL_CONTROL access for your S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (ACL predefined group) named "Any Authenticated AWS User".

05 Uncheck all the permissions applied to "Any Authenticated AWS User":

Uncheck all the permissions applied to 'Any Authenticated AWS User'

or delete the predefined group using the x button next to the permissions settings:

delete the predefined group using the x button next to the permissions settings

06 Click Save to apply the new ACL configuration and remove the bucket AWS authenticated access.

07 Repeat steps no. 3 – 6 for each S3 bucket with authenticated FULL_CONTROL access enabled, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all S3 buckets available in your account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each existing S3 bucket: 

[
    "annual-internal-financial-reports"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) using the bucket name as CLI command parameter, to change the ACL permissions and remove the AWS authenticated FULL_CONTROL access for the selected S3 bucket (the command does not return any output): < 

aws s3api put-bucket-acl
	--bucket annual-internal-financial-reports 
	--acl private

04 Repeat step no. 3 for each S3 bucket with authenticated FULL_CONTROL access enabled.

References

Publication date May 13, 2016

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

S3 Bucket Authenticated Users 'FULL_CONTROL' Access

Risk level: Very High