Ensure that your AWS S3 buckets are configured using policies to allow access only to specific (trusted) IP addresses in order to protect against unauthorized access. Prior to running this rule by the Cloud Conformity engine you need to configure the rule and provide the list of public IPv4 addresses that are allowed to access your S3 buckets.
Allowing untrustworthy access to your AWS S3 buckets can lead to unauthorized actions such as viewing, uploading, modifying or deleting S3 objects. To prevent S3 data exposure, data loss, unexpected charges on your AWS bill or you just want a central place to manage your buckets access using policies, you need to ensure that your S3 buckets are accessible only to a short list of safelisted IPs.
Note: Since S3 Bucket policies are limited to 20 KB in size, you must configure the rule with a short list of trusted IP addresses.
Audit
To determine if the access to your S3 buckets is restricted to specific IP addresses via bucket policies, perform the following:
Remediation / Resolution
To update your Amazon S3 buckets policy in order to grant access only to specific (trusted) IP addresses, perform the following:
Note: As example, this rule section demonstrates how to grant permissions to specific IPs to perform any S3 operations on objects within the selected bucket.References
- AWS Documentation
- Amazon Simple Storage Service (S3) FAQs
- Using Bucket Policies and User Policies
- Access Policy Language Overview
- IAM JSON Policy Elements: Condition
- Bucket Policy Examples
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-policy
- put-bucket-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Limit S3 Bucket Access by IP Address
Risk level: Medium