<  Back to rules search

S3 bucket cannot be accessed for WRITE actions

s3

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Update your AWS S3 bucket to remove WRITE actions for any IAM user or AWS authenticated account.

Rationale

Authenticated users with AWS S3 bucket WRITE privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.

Remediation

Console

Follow the Editing customer managed policies (console) documentation to learn how to edit permissions for your existing policy. In the console, modify Permissions for Access Control Lists (ACLs). Deselect Upload/Delete for Any Authenticated AWS User.

CLI

  1. Run list-buckets to list all available S3 buckets for your account.

list-buckets.sh

  aws s3api list-buckets
    --query "Buckets[].Name"
  
  1. Run put-bucket-acl with your bucket name and the canned ACL to apply to the bucket.

list-buckets.sh

  aws s3api put-bucket-acl
    --bucket your-bucket-name
    --acl private