S3 bucket contents should only be accessible by authorized principals

Description

Update your bucket policy as the contents of your Amazon S3 bucket are publicly accessible.

Rationale

Unintentionally exposed Amazon S3 buckets have led to numerous data breaches and leaks. When misconfigured, an S3 bucket policy can permit anyone to download the contents of an Amazon S3 bucket.

Note: If the bucket is configured to host a static website, this rule does not trigger because bucket contents are expected to be public to serve the site.

Remediation

Ensure that there is a valid business justification as to why the bucket and all of its contents have been made public. If there is no valid reason, follow these steps to prevent public access.

From the console

Follow the Controlling access to a bucket with user policies docs to edit your existing policy and set the policy permissions to private.

From the command line

  1. Run the delete-bucket-policy command to fully remove any public access to the bucket.
    aws s3api delete-bucket-policy \
      --bucket insert-bucket-name-here
    
  2. If you need a bucket policy, create a new non-public bucket policy using the AWS Policy Generator.
  3. Apply the bucket policy from Step 2 with the put-bucket-policy command.
    aws s3api put-bucket-policy
      --bucket insert-bucket-name-here
      --policy file://insert-bucket-policy-file-name-here.json