AWS S3 Buckets Are Accessible To Public

This policy identifies S3 buckets which are publicly accessible. Amazon S3 allows customers to store or retrieve any type of content from anywhere in the web. Often, customers have legitimate reasons to expose the S3 bucket to public, for example, to host website content. However, these buckets often contain highly sensitive enterprise data which if left open to public may result in sensitive data leaks.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform, CloudFormation

Build Rules

AWS S3 buckets are accessible to public.
JSON Queries:
CloudFormation
($.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicRead or $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite)
Terraform
$.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read-write or $.resource[*].aws_s3_bucket.*[*].*.acl anyEqual public-read)
Recommendations:
  • CloudFormation
    Recommended solution for making sure S3 buckets are not accessible to public.
    It is recommended that S3 buckets are not accessible to public. Please make sure that "PublicRead" is set to "Private" or "AuthenticatedRead" or "BucketOwnerRead" or "BucketOwnerFullControl".
    For example:
    "S3Bucket2": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "Private" } }
  • Terraform
    Recommended solution for making AWS S3 bucket not accessible to public.
    Ensure that AWS S3 buckets are not accessible to public. Please make sure "acl" attribute is set to private under "aws_s3_bucket".
    For example:
    "aws_s3_bucket": [ { "<s3_bucket_name>": [ { "acl": "private", "bucket": "my-tf-test-bucket", "tags": [ { "Environment": "Dev", "Name": "My bucket" } ] } ] } ]

Run Rule Recommendation

  1. Login to the AWS Console.
  2. Navigate to the 'S3' service.
  3. Click on the 'S3' resource reported in the alert.
  4. Click on the 'Permissions'.
  5. If Access Control List' is set to 'Public' follow below steps.
    a. Under 'Access Control List', Click on 'Everyone' and uncheck all items
    b. Click on Save
  6. If 'Bucket Policy' is set to public follow below steps.
    a. Under 'Bucket Policy', modify the policy to remove public access
    b. Click on Save
    c. If 'Bucket Policy' is not required delete the existing 'Bucket Policy'.
    Note:
    Make sure updating 'Access Control List' or 'Bucket Policy' does not affect S3 bucket data access.
Remediation CLI Command:
aws s3api put-bucket-acl --acl private --bucket ${resourceName}
CLI Command Description:
This CLI command requires 's3:PutBucketAcl' permission. Successful execution will reset this S3 bucket's ACL (Access Control List) to private. This will ensure that only Owner has full privileges.

Compliance

There are 12 standards that are applicable to this policy:
  • PIPEDA
  • NIST 800-171 Rev1
  • NIST CSF
  • NIST 800-53 Rev4
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • MITRE ATT&CK [Beta]
  • PCI DSS v3.2
  • CCPA 2018

Recommended For You