acquires Cloud Conformity
Open menu

S3 Bucket Public 'FULL_CONTROL' Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Best practice rules for Amazon Web Services AWS S3 Best Practices S3 Bucket Public 'FULL_CONTROL' Access
Security
Risk level: Very High (act immediately)
Rule ID: S3-005

Ensure there aren't any publicly accessible S3 buckets available in your AWS account in order to protect your S3 data from loss and unauthorized access. A publicly accessible S3 bucket allows FULL_CONTROL access to everyone (i.e. anonymous users) to LIST (READ) the objects within the bucket, UPLOAD/DELETE (WRITE) objects, VIEW (READ_ACP) object permissions and EDIT (WRITE_ACP) object permissions. Cloud Conformity strongly recommends against using all these permissions for the “Everyone” ACL predefined group in production.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Granting public (FULL_CONTROL) access to your S3 buckets can allow malicious users to view, upload, modify and delete S3 objects, actions that can lead to severe security issues such as data loss and unexpected charges on your AWS bill.

Audit

To determine if your AWS S3 buckets access is granted to everyone, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Everyone". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Everyone" is the predefined group that allows access to anonymous users. If the bucket ACL configuration does lists the "Everyone" predefined group with all the permissions enabled:

'Everyone' predefined group with all the permissions enabled

the selected S3 bucket is publicly accessible and insecure.

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions: 

[
    "webapp-status-reports",
    ...
    "webapp-data-repository"
]

03 Run get-bucket-acl command (OSX/Linux/UNIX) to return the access control policy for selected S3 bucket: 

aws s3api get-bucket-acl
	--bucket webapp-data-repository

04 The command output should display the bucket policy document which contains the AWS users and groups that have access to the bucket and their level of permissions. If the Grantee group URI is equal to “http://acs.amazonaws.com/groups/global/AllUsers” (Everyone) and has the READ, WRITE, READ_ACP and WRITE_ACP permissions associated with it, the selected S3 bucket is not secured against unauthorized access. The following example displays an S3 bucket ACL policy that allows public access (FULL_CONTROL) to everyone: 

{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "718f3e58089ec3bd00296f84056525d78415fd5e56d8309358e998965"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ_ACP"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE_ACP"
        }
    ]
}

05 Repeat steps no. 3 and 4 for each available S3 bucket that you want to examine.

Remediation / Resolution

To remove public (FULL_CONTROL) access for your S3 buckets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Everyone".

uncheck-all-the-permissions-applied-to-Everyone.png

05 Uncheck all the permissions applied to "Everyone":

Uncheck all the permissions applied to 'Everyone'

or delete the predefined group using the x (delete) button:

delete the predefined group using the x (delete) button

06 Click Save to apply the new ACL configuration and remove the bucket public access.

07 Repeat steps no. 3 – 6 for each publicly accessible S3 bucket available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all S3 buckets available in your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each existing S3 bucket: 

[
    "webapp-status-reports",
    ...
    "webapp-data-repository"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) using the bucket name as command parameter, to change the permissions and remove the public access (FULL_CONTROL access) for the selected S3 bucket (no output is returned): 

aws s3api put-bucket-acl
	--bucket webapp-data-repository
	--acl private

04 Repeat step no. 3 for each publicly accessible S3 bucket within your AWS account.

References

Publication date May 11, 2016

Related S3 rules

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to

Thanks!

A verification email has been sent to