<  Back to rules search

S3 bucket does not allow authenticated users to modify access controls

s3

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Modify your access control permissions to remove WRITE_ACP access for authenticated users.

Rationale

WRITE_ACP access gives any authenticated AWS accounts or IAM users READ and WRITE Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.

Remediation

Console

Follow the Controlling access to a bucket with user policies docs to edit your existing policy and set the policy permissions to private.

CLI

  1. Run put-bucket-acl with your S3 bucket name and the ACL set to private.

put-bucket-acl.sh

  aws s3api get-bucket-acl
    --bucket your-bucket-name
    --acl private