Ensure that your AWS S3 buckets cannot be accessed for WRITE actions by AWS authenticated accounts or IAM users in order to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE (UPLOAD/DELETE) access to any AWS authenticated users can provide them the capability to add, delete and replace objects within the bucket without restrictions.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting authenticated "WRITE" access to your AWS S3 buckets can allow unauthorized users to upload, modify and delete S3 objects. Using this overly permissive ACL configuration can lead to S3 data loss or unintended charges on your AWS bill. Cloud Conformity strongly recommends against setting WRITE (UPLOAD/DELETE) permission for the "Any Authenticated AWS User" predefined group in production.
Audit
To determine if your S3 buckets allow WRITE access to AWS authenticated users, perform the following:
Remediation / Resolution
To remove authenticated WRITE access for your S3 buckets, you need to perform the following:
References
- AWS Documentation
- Amazon S3 FAQs
- Amazon S3 Bucket Public Access Considerations
- Access Control List (ACL) Overview
- Managing ACLs in the AWS Management Console
- Editing Bucket Permissions
- AWS Command Line Interface (CLI) Documentation
- list-buckets
- get-bucket-acl
- put-bucket-acl
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Bucket Authenticated Users 'WRITE' Access
Risk level: Very High