S3 bucket policies should restrict access from other AWS accounts

Description

This check verifies whether an Amazon S3 general-purpose bucket policy restricts principals in other AWS accounts from executing unauthorized actions on resources within the S3 bucket. The check will not pass if the bucket policy permits any of the aforementioned actions for a principal in a different AWS account.

Enforcing the principle of least privilege is essential for mitigating security risks and minimizing the repercussions of errors or malicious activities. Allowing access from external accounts through an S3 bucket policy could lead to breaches through data exfiltration by malicious insiders or attackers.

By utilizing the blacklistedactionpatterns parameter, the rule evaluates successfully for S3 buckets. This parameter enables access to external accounts only for specific action patterns not included in the blacklistedactionpatterns list.

Risky Actions: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl

Remediation

To adjust an Amazon S3 bucket policy to revoke permissions, please refer to the Adding a bucket policy using the Amazon S3 console section in the Amazon Simple Storage Service User Guide.

When on the Edit bucket policy page, within the policy editing text box, choose one of the following actions:

  • Erase the statements allowing access to denied actions by other AWS accounts.
  • Eliminate the denied actions that are permitted in the statements.