Ensure that your AWS S3 buckets cannot be accessed for WRITE actions by AWS authenticated accounts or IAM users in order to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE (UPLOAD/DELETE) access to any AWS authenticated users can provide them the capability to add, delete and replace objects within the bucket without restrictions.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting authenticated "WRITE" access to your AWS S3 buckets can allow unauthorized users to upload, modify and delete S3 objects. Using this overly permissive ACL configuration can lead to S3 data loss or unintended charges on your AWS bill. Cloud Conformity strongly recommends against setting WRITE (UPLOAD/DELETE) permission for the "Any Authenticated AWS User" predefined group in production.
To determine if your S3 buckets allow WRITE access to AWS authenticated users, perform the following:
To remove authenticated WRITE access for your S3 buckets, you need to perform the following: