Ensure S3 buckets are not publicly accessible without a condition

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.NET.06
Category: Storage
Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion. S3 bucket policy should ensure that principal of least privilege is being followed. A condition statement can be used to control the scope of the policy.

gsl logic

S3Bucket should not have ( accessPublicBlock isEmpty() = true or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets =false ) and ( acl.grants contain [uri like 'http://acs.amazonaws.com/groups/global/%'] or policy.Statement with [Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition isEmpty()])

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation


From Portal:
1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
3. Choose Permissions.
4. Choose Edit to change the public access settings for the bucket.
5. Choose the setting that you want to change, and then choose Save
6. Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
7. On the Edit bucket policy page, explore Policy examples in the Amazon S3 User Guide, choose Policy generator to generate a policy automatically, or edit the JSON in the Policy section.
Here remove policies for principals '*'. If necessary, modify the policy instead, to limit the access to specific principals.
8. In the Policy box, edit the existing policy or paste the bucket policy from the Policy generator. Make sure to resolve security warnings, errors, general warnings, and suggestions before you save your policy.
9. Choose Save changes, which returns you to the Bucket Permissions page.

From TF:
Add a policy document with required permissions and appropriate condition as needed as follows:


data "aws_iam_policy_document" "example" {
 ...
 statement {
  effect = "Allow"
  
  actions = [
  REQUIRED_ACTIONS
  ]
  principals {
   REQUIRED_PRINCIPALS
   }
  
  resources = [
  "S3_BUCKET_ARN",
  ]
  
  condition {
   test = TEST
   variable = CONTEXT_VARIABLE
   
   values = [
   VALUES
   ]
   }
  }
 ...
 }



From Command Line:
To add a policy with required permissions and appropriate condition as needed, run:


aws s3api put-bucket-policy --bucket BUCKET-NAME --policy file://policy.json



References:
1. https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
2. https://registry.terraform.io/providers/hashicorp/aws/3.3.0/docs/data-sources/iam_policy_document
3. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
4. https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

Auto Remediation Using Cloudbots


cloudbot_name: s3_delete_permissions

What it does: Deletes all ACLs and bucket policies from a bucket
Usage: s3_delete_permissions
Limitations: none

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

HIPAA PCIDSS32 ISO27001 NIST_CSF BP_0318