Detections
Analytics

Ensure AWS S3 Bucket object ownership is more restrictive

MEDIUM

Description

Object_ownership is not set to BucketOwnerPreferred. Amazon S3 bucket owner condition ensures that the buckets you use in your S3 operations belong to the AWS accounts that you expect.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the S3 console.
  2. Choose the bucket you wish to edit.
  3. Select the Permissions tab.
  4. Under Object Ownership, select Edit and edit the acl accordingly.
  5. Select Save changes.

In Terraform -

  1. For each aws_s3_bucket resource, add an aws_s3_bucket_ownership_controls resource.
  2. Create rule block with an object_ownership policy, such as BucketOwnerPreferred.

References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls

Policy Details

Rule Reference ID: AC_AWS_0216
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_s3_bucket_ownership_controls
Resource Category: Storage
Resource Type: S3 Bucket

Frameworks