Ensure that your AWS S3 buckets do not allow authenticated AWS accounts or IAM users to modify access control permissions to protect your S3 data from unauthorized access. An S3 bucket that allows WRITE_ACP access to AWS authenticated users can give these the capability to edit permissions and gain full access to the resource. Allowing this type of access is dangerous and can lead to data loss or unexpectedly high S3 charges on your AWS bill as a result of economic denial-of-service attacks.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting authenticated "WRITE_ACP" access to your AWS S3 buckets can allow other AWS accounts or IAM users to edit ACL permissions in order to view, upload, modify and delete S3 objects within the buckets without restrictions. Cloud Conformity strongly recommends against setting WRITE_ACP (EDIT PERMISSIONS) for the "Any Authenticated AWS User" predefined group in production.
To determine if your existing S3 buckets allow WRITE_ACP access to AWS authenticated users, perform the following:
To remove authenticated WRITE_ACP access for your S3 buckets, you need to perform the following: