Ensure 'allow getAcl actions from all principals' is disabled for AWS S3 Buckets

HIGH

Description

Misconfigured S3 buckets can lead to private information becoming available to the entire internet and could also allow for unauthorized tampering. Limiting public access will help protect private data.
References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the to S3 Console.
  2. Select the bucket.
  3. Click the Permissions tab.
  4. Select Bucket Policy.
  5. In the Bucket Policy editor, ensure that read actions are not assigned to all (*) principals.

In Terraform -

  1. In the aws_s3_bucket_policy resource, configure the policy field with a valid statement.
  2. Clearly define the actions allowed and principals that require such access.
  3. Do not use wildcards (*) in any of these fields to ensure explicit access.

References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy

Policy Details

Rule Reference ID: AC_AWS_0223
CSP: AWS
Remediation Available: Yes
Resource Category: Storage
Resource Type: S3 Bucket

Frameworks