Detections
Analytics

Ensure there is no policy with invalid principal key for AWS S3 Bucket policy

LOW

Description

Setting a Principal in an access policy will effectively grant users, accounts, or services with access to each S3 bucket. For more information on how to properly assign a Principal within the S3 bucket policy, see the AWS S3 documentation.
References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the S3 console.
  2. In the Navigation pane, select Buckets.
  3. In the list of buckets, select the bucket to edit.
  4. Select the Permissions tab, and then under Bucket policy choose Edit.
  5. Edit the policy and ensure the Principal is properly defined.
  6. Select Save changes.

In Terraform -

  1. In the aws_s3_bucket_policy resource, configure the policy accordingly with a properly defined Principal.
  2. The Principal key should include AWS, CanonicalUser, Federated, or Service.

References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy

Policy Details

Rule Reference ID: AC_AWS_0482
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_s3_bucket_policy
Resource Category: Storage
Resource Type: S3 Bucket

Frameworks