Ensure that your AWS S3 buckets do not allow anonymous users to modify their access control permissions to protect your S3 data from unauthorized access. An S3 bucket that allows public WRITE_ACP (EDIT PERMISSIONS) access can give any malicious user on the Internet the capability to READ and WRITE ACL permissions, overly permissive actions that can lead to data loss or economic denial-of-service attacks (i.e. uploading a large number of files to drive up the costs of the S3 service within your AWS account).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting public "WRITE_ACP" access to your AWS S3 buckets can allow anonymous users to edit their ACL permissions and eventually be able to view, upload, modify and delete S3 objects within the bucket without restrictions. Cloud Conformity strongly recommends against setting WRITE_ACP (EDIT PERMISSIONS) permission for the "Everyone" predefined group in production.
Audit
To determine if your existing AWS S3 buckets allow public WRITE_ACP access, perform the following:
Remediation / Resolution
To remove public WRITE_ACP access for your S3 buckets, you need to perform the following:
References
- AWS Documentation
- Amazon S3 FAQs
- Amazon S3 Bucket Public Access Considerations
- Access Control List (ACL) Overview
- Managing ACLs in the AWS Management Console
- Editing Bucket Permissions
- AWS Command Line Interface (CLI) Documentation
- list-buckets
- get-bucket-acl
- put-bucket-acl
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Bucket Public 'WRITE_ACP' Access
Risk level: Very High