S3 bucket policy should prevent public write access

Description

Update your bucket policy as your Amazon S3 bucket is writeable by anyone.

Rationale

When misconfigured, an S3 bucket policy can grant anyone the ability to write to the contents of an S3 bucket. This gives an attacker the ability to modify objects in the bucket or create new ones.

Remediation

Remove or modify the existing bucket policy to prevent anyone from being able to write to it.

From the console

Follow the Controlling access to a bucket with user policies docs to edit your existing policy and remove the access.

From the command line

  1. Run the delete-bucket-policy command to fully remove any public write access to the bucket.
    aws s3api delete-bucket-policy \
      --bucket insert-bucket-name-here
    
  2. If you need a bucket policy, create a new non-public bucket policy using the AWS Policy Generator.
  3. Apply the bucket policy from Step 2 with the put-bucket-policy command.
    aws s3api put-bucket-policy
      --bucket insert-bucket-name-here
      --policy file://insert-bucket-policy-file-name-here.json