Ensure that your Amazon S3 buckets are not allowing FULL_CONTROL access to anonymous users (i.e. public access) in order to prevent unauthorized access. A publicly accessible Amazon S3 bucket allows everyone to LIST (READ) the objects within the bucket, UPLOAD/DELETE (WRITE) objects, VIEW (READ_ACP) object permissions, and EDIT (WRITE_ACP) object permissions. Trend Cloud One™ – Conformity strongly recommends against setting all these permissions for the "Everyone (public access)" grantee in production.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Granting public FULL_CONTROL access to your Amazon S3 buckets can allow everyone on the Internet to view, upload, modify, and delete S3 objects without any restrictions. Exposing your S3 buckets to the public Internet can lead to data leaks, data loss, and unexpected charges on your AWS bill.
Audit
To determine if your Amazon S3 buckets are exposed to the Internet, perform the following operations:
Remediation / Resolution
To deny public FULL_CONTROL access to your Amazon S3 buckets using Access Control Lists (ACLs), perform the following operations:
Note: An S3 bucket can be deemed compliant if implements either"AccessControl": "Private"
or sets the "PublicAccessBlockConfiguration"
feature options to true
. The following CloudFormation template uses both for added security. References
- AWS Documentation
- Amazon S3 FAQs
- Managing Access Permissions to Your Amazon S3 Resources
- Access Control List (ACL) Overview
- Managing ACLs in the AWS Management Console
- Identity and access management in Amazon S3
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-acl
- put-bucket-acl
- CloudFormation Documentation
- AccessControl
- Terraform Documentation
- AWS Provider