Ensure that your AWS S3 buckets do not allow anonymous users to modify their access control permissions to protect your S3 data from unauthorized access. An S3 bucket that allows public WRITE_ACP (EDIT PERMISSIONS) access can give any malicious user on the Internet the capability to READ and WRITE ACL permissions, overly permissive actions that can lead to data loss or economic denial-of-service attacks (i.e. uploading a large number of files to drive up the costs of the S3 service within your AWS account).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting public "WRITE_ACP" access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions. Cloud Conformity strongly recommends against setting WRITE_ACP (EDIT PERMISSIONS) permission for the "Everyone" predefined group in production.
To determine if your existing AWS S3 buckets allow public WRITE_ACP access, perform the following:
To remove public WRITE_ACP access for your S3 buckets, you need to perform the following: