S3 bucket policies should not grant access to accounts outside the organization

s3
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

S3 bucket policies should only grant access to AWS accounts that belong to the same AWS Organization. When a bucket policy contains unconditioned Allow statements referencing AWS principals from accounts outside the organization, it creates a risk of unauthorized data access or exfiltration by third parties.

This rule evaluates each Allow statement in the bucket policy that has no conditions attached, extracts the account ID from any AWS principal ARNs (including bare 12-digit account IDs), and verifies that those accounts are members of the same AWS Organization as the bucket owner. Same-account access, conditioned statements, service principals, and non-account-based principals are not flagged.

Blind spots

  • Conditioned Allow statements granting access to external accounts are not flagged. If the condition does not adequately restrict access (e.g., the condition checks s3:prefix rather than aws:PrincipalOrgID), external access may go undetected.
  • AWS-managed service accounts (e.g., the ELB log delivery account 127311923021) are flagged as external since they are not members of any customer organization. These are expected false positives for buckets that use ELB access logging or similar AWS-managed integrations.

Remediation

Review the S3 bucket policy and remove or restrict unconditioned Allow statements that grant access to AWS accounts outside your organization.

  1. Open the Amazon S3 console and select the affected bucket.
  2. Navigate to the Permissions tab and under Bucket policy, choose Edit.
  3. Identify any Allow statements where the Principal references an account not in your AWS Organization and no condition restricts the access scope.
  4. Either remove the external account principal, replace it with an organization-internal account, or add a condition key such as aws:PrincipalOrgID to scope access to your organization. For guidance on restricting access with organization-based conditions, refer to AWS Organizations condition keys.
  5. Save the updated policy.

For a broader overview of S3 bucket policy management, refer to Adding a bucket policy using the Amazon S3 console.