S3 Bucket Authenticated Users ‘WRITE’ Access

Risk level: Very High (not tolerated)

Rule ID: S3-008

Ensure that your AWS S3 buckets cannot be accessed for WRITE actions by AWS authenticated accounts or IAM users in order to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE (UPLOAD/DELETE) access to any AWS authenticated users can provide them the capability to add, delete and replace objects within the bucket without restrictions.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Granting authenticated "WRITE" access to your AWS S3 buckets can allow unauthorized users to upload, modify and delete S3 objects. Using this overly permissive ACL configuration can lead to S3 data loss or unintended charges on your AWS bill. Cloud Conformity strongly recommends against setting WRITE (UPLOAD/DELETE) permission for the "Any Authenticated AWS User" predefined group in production.

Audit

To determine if your S3 buckets allow WRITE access to AWS authenticated users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Any Authenticated AWS User". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Any Authenticated AWS User" is an AWS predefined group that allows any authenticated AWS user to access the S3 bucket. If the bucket ACL configuration does specify the "Any Authenticated AWS User" predefined group with the Upload/Delete (WRITE) permissions enabled:

'Any Authenticated AWS User' predefined group with the Upload/Delete (WRITE) permissions enabled

any-, the selected S3 bucket is accessible to other AWS accounts and IAM users for content updates (add/delete/replace objects) and is rendered as insecure.

05 Repeat steps no. 3 and 4 for each AWS S3 bucket that you want to examine.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions. The following output example returns an S3 bucket named annual-internal-financial-reports:

[
    "annual-internal-financial-reports"
]

03 Run get-bucket-acl command (OSX/Linux/UNIX) to return the access control policy (ACP) for selected S3 bucket:

aws s3api get-bucket-acl
	--bucket annual-internal-financial-reports

04 The command output should display the bucket ACL policy document which contains the AWS users and groups that have access to the bucket and their level of permissions. If the Grantee URI is equal to “http://acs.amazonaws.com/groups/global/AuthenticatedUsers” and the permission associated with the group is WRITE, the selected bucket is accessible to other AWS accounts and users for updates, hence insecure. The following example displays an S3 bucket Access Control Policy (ACP) that allows public WRITE access to any authenticated AWS account/user that can send requests to upload and delete objects:

{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "671f3e58089ec3bd00296f84056525d78415fd5e56dcfda3f8309358e9989554"
    },
    "Grants": [
        {
           "Grantee": {
               "Type": "Group",
               "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
           },
           "Permission": "WRITE"
        }
    ]
}

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine available in your AWS account.

Remediation / Resolution

To remove authenticated WRITE access for your S3 buckets, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Any Authenticated AWS User".

05 Uncheck the Upload/Delete (WRITE) permission applied to "Any Authenticated AWS User":

or delete the predefined group entirely using the x button available next to the group settings:

06 Click Save to apply the new ACL configuration and remove the bucket WRITE (UPLOAD/ DELETE) access for authenticated users.

07 Repeat steps no. 3 – 6 for each authenticated “WRITE” accessible S3 bucket available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets available in your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each existing S3 bucket:

[
    "annual-internal-financial-reports"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) using the bucket name as command parameter, to update permissions and remove the authenticated WRITE access for the selected S3 bucket by applying the private predefined ACL (if successful, the command should not return any output):

aws s3api put-bucket-acl
	--bucket annual-internal-financial-reports
	--acl private

04 Repeat step no. 3 for each authenticated “WRITE” accessible S3 bucket within your AWS account.

References

AWS Command Line Interface (CLI) Documentation
list-buckets
get-bucket-acl
put-bucket-acl

Publication date May 14, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

S3 Bucket Authenticated Users 'WRITE' Access

Risk level: Very High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related S3 rules