Logo of Trend Micro

S3 Bucket Public Access Via Policy

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Very High (act immediately)
Rule ID: S3-014

Ensure that your AWS S3 buckets are not publicly accessible via bucket policies in order to protect against unauthorized access. Allowing unrestricted access through bucket policies gives everyone the ability to list the objects within the bucket (ListBucket), download objects (GetObject), upload/delete objects (PutObject, DeleteObject), view objects permissions (GetBucketAcl), edit objects permissions (PutBucketAcl) and more. Cloud Conformity strongly recommends using bucket policies to limit the access to a particular AWS account (friendly account) instead of providing public access to everyone on the Internet.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.

Audit

To determine if your Amazon S3 buckets allow unauthorized public access via bucket policies, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Select the S3 bucket that you want to examine and click the Properties

04 Inside the Properties tab, click Permissions to expand the bucket permissions configuration panel.

05 Now click Edit bucket policy to access the bucket policy currently used.

06 In the Bucket Policy Editor dialog box, verify the Effect and Principal policy elements. Effect describes the permission effect that will be used when the user requests the action(s) defined in the policy - the element value can be either Allow or Deny. The Principal is the account or the user that has access to the actions and resources declared in the policy statement.
If the Effect element value is set to Allow and the Principal element value is set to "*" (i.e. everyone) or {"AWS": "*"}, the selected S3 bucket is publicly accessible unless there is a Condition element, and can be marked as insecure. Note that both elements value must match in order to declare the bucket publicly accessible.

07 Repeat steps no. 3 - 6 to verify the access policies used by other S3 buckets available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list all existing S3 buckets within your AWS account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the names of your S3 buckets available across all AWS regions: 

[
    "webapp-data-repo",
    "webapp-data-reports",
    "webapp-media-library"
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) to retrieve the bucket policy defined for selected S3 bucket and put its content into a JSON file named bucket-policy.json (the command does not produce an output): 

aws s3api get-bucket-policy
	--bucket webapp-data-repo
	--query Policy
	--output text > bucket-policy.json

04 Open the bucket-policy.json file in your preferred editor. The policy document extracted should look like the following: 

{
  "Id": "Policy1477065434531",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1477065432829",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::webapp-data-repo/*",
      "Principal": "*"
    }
  ]
}

Now verify the Effect and Principal elements value. If the Effect element value is set to Allow and the Principal element value is set to "*" (i.e. everyone) or {"AWS": "*"}, the selected S3 bucket is publicly accessible unless there is a Condition element, and can be labeled as insecure. Both elements value must match in order to declare the bucket publicly accessible.

05 Repeat step no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To restrict access to your publicly accessible S3 buckets via bucket policies, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the publicly accessible S3 bucket that you want to configure (see Audit section part I to identify the right resource) and click the Properties tab from the dashboard top right menu:

Select the S3 bucket that you want to examine and click the Properties

04 Inside the Properties tab, click Permissions to expand the bucket permissions settings panel.

05 Click the Edit bucket policy button to access the bucket policy currently in use.

06 In the Bucket Policy Editor dialog box, perform one of the following actions based on your requirements:

  1. To disable entirely the public access to the selected bucket, click the Delete button available inside the policy editor box then select OK to confirm the action.
  2. To limit the public access to a specific AWS account or AWS IAM user, replace the Principal element current value with the Amazon Resource Name (ARN) of the AWS account ( e.g. { "AWS": "arn:aws:iam::123456789012:root" } ) or IAM user ( e.g. { "AWS": "arn:aws:iam::123456789012: user/David" } ) that should have access to the selected S3 bucket. Once the editing is complete, click Save to apply the policy changes and update the bucket access permissions.

07 Repeat steps no. 3 - 6 to restrict the public access to other S3 buckets available in your AWS account.

Using AWS CLI

01 First, edit the policy document and replace the Principal element value with the ARN of the AWS account ( e.g. { "AWS": "arn:aws:iam::123456789012:root" } ) or IAM user ( e.g. { "AWS": "arn:aws:iam::123456789012: user/David" } ) that should have access to the selected S3 bucket. Skip this step if you just want to disable the public access entirely. The following bucket policy example allows access only to an AWS IAM user named David: 

{
  "Id": "Policy1477065434531",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1477065432829",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::webapp-data-repo/*",
      "Principal": { "AWS": "arn:aws:iam::123456789012:user/David" }
    }
  ]
}

02 To restrict access to your publicly accessible S3 buckets based on your requirements, perform one of the following commands:

  1. Run delete-bucket-policy command (OSX/Linux/UNIX) to remove the attached policy in order to disable entirely the public access to the selected bucket (the command does not return any output): 
    aws s3api delete-bucket-policy
	--bucket webapp-data-repo
  2. Run put-bucket-policy command (OSX/Linux/UNIX) to replace the existing bucket policy with the one created at step no. 1, i.e. bucket-policy.json (the command does not produce any output): 
    aws s3api put-bucket-policy
	--bucket webapp-data-repo
	--policy file://bucket-policy.json

03 Repeat step no. 1 and 2 to restrict the public access to other AWS S3 buckets available in your account.

References

Publication date May 10, 2016

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

S3 Bucket Public Access Via Policy

Risk level: Very High