Ensure bucket policy is enforced with least privileges for all AWS S3 buckets

HIGH

Description

Overly permissive Amazon S3 buckets may lead to unauthorized access.

Remediation

In AWS Console -

Sign in to the AWS console and go to the S3 console.
Choose the bucket you wish to edit.
Select the Permissions tab.
Confirm your public access settings.
Under Bucket policy, select Edit and edit the policy accordingly.
Select Save changes.

In Terraform -

For each aws_s3_bucket resource, add an aws_s3_bucket_policy resource.
Each aws_s3_bucket_policy should have a policy with Principal permissions clearly defined, rather than using wildcards.

References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy

Policy Details

Rule Reference ID: AC_AWS_0215

CSP: AWS

Remediation Available: Yes

Domain: Identity and Access Management

Resource: aws_s3_bucket

Resource Category: Storage

Resource Type: S3 Bucket

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
ISO-27001
SOC2