Ensure that your Amazon S3 buckets are not publicly accessible to the Internet via bucket policies in order to protect against unauthorized access. Allowing unrestricted access through bucket policies gives everyone the ability to list the objects within the bucket (ListBucket), download objects (GetObject), upload/delete objects (PutObject, DeleteObject), view objects permissions (GetBucketAcl), edit objects permissions (PutBucketAcl) and more. Trend Cloud One™ – Conformity strongly recommends using bucket policies to limit the access to a trusted entity, such as an authorized AWS account, instead of providing access to everyone on the Internet.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Granting public access to your Amazon S3 buckets via bucket policies can allow malicious users to view, get, upload, modify, and delete S3 objects, which can lead to data breaches, data loss and unexpected charges on your AWS monthly bill.
Audit
To determine if your Amazon S3 buckets allow public access via bucket policies, perform the following operations:
Remediation / Resolution
To deny public access to your Amazon S3 buckets using bucket policies, perform the following operations:
References
- AWS Documentation
- Amazon S3 FAQs
- Identity and access management in Amazon S3
- Access control list (ACL) overview
- Configuring ACLs
- Identity and access management in Amazon S3
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-policy
- put-bucket-policy
- delete-bucket-policy
- CloudFormation Documentation
- Amazon Simple Storage Service resource type reference
- Terraform Documentation
- AWS Provider