[S3.6]
Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted
Description
Principals from other AWS accounts must be prevented from performing blacklisted actions on S3 buckets such as:
- s3:DeleteBucketPolicy
- s3:PutBucketAcl
- s3:PutBucketPolicy
- s3:PutEncryptionConfiguration
- s3:PutObjectAcl
Restricting access to resources is a fundamental aspect of reducing security risk and the impact of errors. This rule is COMPLIANT if unauthorized principals cannot perform blacklisted actions
Details
| Property | Value |
|---|---|
| Category | Protect > Secure access management |
| Compliance Control ID | S3.6 |
| FortifyFox ID | FF100051 |
| Link | S3.6 Compliance |
| Resource Type(s) | AWS::S3::Bucket AWS::S3::BucketPolicy |
| Severity | Medium |
| Parameters | PolicyDocument |
| Value | An AWS IAM Policy document |
Remediation
Use the following CloudFormation templates to deploy an S3 bucket compliant with S3.6
YAML Template
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: your-bucket-name
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Id: SSLUsePolicy
Version: '2012-10-17'
Statement:
- Sid: AllowSSLRequestsOnly
Action:
- s3:DeleteBucketPolicy
- s3:PutBucketAcl
- s3:PutBucketPolicy
- s3:PutEncryptionConfiguration
- s3:PutObjectAcl
Effect: Deny
Resource:
- arn:aws:s3:::your-bucket-name
- arn:aws:s3:::your-bucket-name/*
Principal: "*"
JSON Template
{
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "your-bucket-name"
}
},
"S3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Id": "SSLUsePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": [
"s3:DeleteBucketPolicy",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:PutObjectAcl"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Principal": "*"
}
]
}
}
}
}
}
📓 Notes
- You can replace “your-bucket-name” with a globally unique name
📓 DisclaimerOne or more of the following actions have been detected on resources in the S3 bucket(s):
s3:DeleteBucketPolicy,s3:PutBucketAcl,s3:PutBucketPolicy,s3:PutEncryptionConfiguration,s3:PutObjectAcl. We are unable to identify external AWS accounts. If access to these actions is allowed from external accounts, then your configuration is not compliant with this control.