Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Deny S3 Log Delivery Group Write Permission on the Source Bucket

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Amazon S3 Log Delivery Group does not have permission to write to the S3 source bucket (i.e. the S3 bucket where S3 Server Access Logging is enabled).

Security

With S3 Server Access Logging feature you can track any requests made to access your Amazon S3 buckets and use the log data to audit and protect them against unauthorized user access. Amazon S3 Server Access Logging uses a special log delivery account, called S3 Log Delivery Group, to write access logs. These writes are subject to the usual access control restrictions. To follow AWS cloud security best practices, you must allow the Log Delivery Group write permission on the target bucket only (i.e. the S3 bucket where you want the access logs to be saved) by adding a grant entry in the bucket's Access Control List (ACL) so that the Log Delivery Group can't have permission to write to the source bucket (i.e. the bucket where you have access logging enabled). If the access is granted on the source bucket, a misconfiguration can provide overly permissive control to the S3 Log Delivery Group, such as the permission to write to the source bucket.

This conformity rule applies only to S3 Log Delivery systems that use a different bucket for storing access logs, meaning that the source bucket and the target bucket are not the same.


Audit

To determine if Amazon S3 Log Delivery Group has permission to write on the S3 source bucket, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Server access logging section, make sure that the Server access logging attribute value is set to Enabled , choose Edit , and check the name of the S3 bucket defined in the Target bucket configuration box. If the target bucket is different than the source bucket (i.e. the one selected at step no. 4), continue the process with the next step, otherwise the Audit process ends here.

06 Return to the S3 bucket main menu and select the Permissions tab to access the bucket permissions.

07 In the Access control list (ACL) section, check the Access Control List (ACL) configuration settings available for the grantee named S3 log delivery group. If the S3 log delivery group grantee is set to Write in the Objects column, the S3 Log Delivery Group has permission to write on the selected Amazon S3 source bucket.

08 Repeat steps no. 3 – 7 to check the S3 Log Delivery Group write permissions for other Amazon S3 source buckets available in your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available within your AWS cloud account:

aws s3api list-buckets
  --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
	"cc-project5-appdata",
	"cc-internal-appdata",
	"cc-appdata-access-logs"
]

03 Run get-bucket-logging command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter and custom query filters to describe the name of the target bucket configured for the selected S3 bucket:

aws s3api get-bucket-logging
  --bucket cc-project5-appdata
  --query 'LoggingEnabled.TargetBucket'

04 The command output should return the name of the associated target bucket (i.e. the S3 bucket configured to store Server Access Logs for the selected bucket). If the get-bucket-logging command does not return an output, the Server Access Logging feature is not enabled for the selected bucket. If the name of the target bucket is different than the name of the source bucket that you have selected to examine, continue the process with the next step, otherwise the Audit process ends here:

"cc-appdata-access-logs"

05 Run get-bucket-acl command (OSX/Linux/UNIX) using the name of the source bucket that you want to examine as the identifier, to describe the Access Control List (ACL) configuration set for the S3 log delivery group grantee, available for the selected S3 bucket:

aws s3api get-bucket-acl
  --bucket cc-project5-appdata
  --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/s3/LogDelivery`)]'

06 The command output should return the ACL configuration available for the **S3 log delivery group** grantee:

[
	{
		"Grantee": {
			"Type": "Group",
			"URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
		},
		"Permission": "WRITE"
	}
]

If the get-bucket-acl command output returns "WRITE" for the "Permission" attribute value, as shown in the output example above, the S3 Log Delivery Group has permission to write on the selected Amazon S3 source bucket.

07 Repeat steps no. 3 – 6 to verify the S3 Log Delivery Group write permissions for other Amazon S3 source buckets available within your AWS cloud account.

Remediation/Resolution

To deny Amazon S3 Log Delivery Group the permission to write on the source bucket, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 4.0"
			}
		}

		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	data "aws_canonical_user_id" "current" {}

	resource "aws_s3_bucket" "s3-bucket" {
		bucket = "cc-project5-appdata"
	}

	resource "aws_s3_bucket_ownership_controls" "s3-bucket-ownership" {

		bucket = aws_s3_bucket.s3-bucket.id
		rule {
			object_ownership = "BucketOwnerPreferred"
		}
	}

	resource "aws_s3_bucket_acl" "s3-bucket-acl" {
		depends_on = [aws_s3_bucket_ownership_controls.s3-bucket-ownership]

		bucket = aws_s3_bucket.s3-bucket.id
		access_control_policy {

			owner {
				id = data.aws_canonical_user_id.current.id
			}

			grant {
				grantee {
					id   = data.aws_canonical_user_id.current.id
					type = "CanonicalUser"
				}
				permission = "READ"
			}

			grant {
				grantee {
					type = "Group"
					uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
				}
				permission = "WRITE"
				permission = "READ"
			}

		}
	}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Access control list (ACL) section, choose Edit to modify the Access Control List (ACL) configuration available for the selected S3 bucket.

06 Under Access control list (ACL), deselect the Write permission checkbox available next to the S3 log delivery group grantee in the Objects column, to disable the Amazon S3 Log Delivery Group permission to write on the selected S3 source bucket. Select I understand the effects of these changes on my objects and buckets checkbox for confirmation, then choose Save changes to apply the changes.

07 Repeat steps no. 3 – 6 to remove the S3 Log Delivery Group write permissions for other S3 source buckets available in your AWS cloud account.

Using AWS CLI

01 Modify the Access Control List (ACL) configuration for the source bucket that you want to reconfigure (see Audit section part II to identify the right S3 resource), to remove the WRITE permissions set for the S3 log delivery group grantee. Replace the ACL configuration details with your own details, then save the modified ACL policy to a JSON document named cc-deny-write-permissions.json.

02 Run put-bucket-acl command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter,to deny the S3 Log Delivery Group the permission to write on the specified source bucket, using the Access Control List (ACL) policy defined at the previous step (if successful, the command does not produce an output):

aws s3api put-bucket-acl
  --bucket cc-project5-appdata
  --access-control-policy file://cc-deny-write-permissions.json

03 Repeat step no. 1 and 2 for each publicly accessible Amazon S3 bucket, available within your AWS cloud account.

References

Publication date Sep 5, 2023