S3 bucket should not allow get actions from all principals

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.IAM.37
Category: Storage
Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion

gsl logic

S3Bucket should not have policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and (Action contain [$ regexMatch /^s3:Get/] or Action regexMatch /^s3:Get/) ]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language


In the S3 console, select the Permissions tab, and then Bucket Policy. Remove policies for s3:Get* actions for principals '*'. If necessary, modify the policy instead, to limit the access to specific principals.

Refer to: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

Auto Remediation Using Cloudbots

cloudbot_name: s3_limit_access

What it does: Removes policies for the following actions for principals '': s3:Delete, s3:Get*, s3:List*, s3:Put*, s3:RestoreObject and s3:*.
Usage: s3_limit_access
Notes: The bot Removes these actions from the policy. if this is the only action, the whole policy will be removed. If necessary, modify the policy after the deletation, to limit the access to specific principals.
Limitations: The bot removes the policies for all the mentioned actions, if exist.

cloudbot_name: s3_delete_permissions

What it does: Deletes all ACLs and bucket policies from a bucket
Usage: s3_delete_permissions
Limitations: none

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks