S3 bucket policies should not allow all actions for all IAM principals and public users

Description

S3 bucket policies - and access control policies in general - should not allow wildcard/all actions, except in very specific administrative situations. Allowing all principals to wildcard access is overly permissive.

Remediation Steps

AWS Console

  • Navigate to S3.

  • Select the S3 bucket.

  • Click the Permissions tab.

  • Select Bucket Policy.

  • In the Bucket Policy editor, ensure that wildcard (*) actions are not assigned to all (*) principals.

AWS CLI

  • Ensure that S3 bucket policies created via CLI do not allow all (*) actions for all (*) principals:

    • aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*"}]}'

Terraform

  • If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:

    • Invalid principals:

      • "*"

      • "AWS": "*"

    • Invalid action:

      • "*"

    • Invalid effect:

      • Allow

  • If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above

Example Configuration

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # other required fields here
}

resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
      {
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          aws_s3_bucket.b.arn,
          "${aws_s3_bucket.b.arn}/*",
        ]
        Condition = {
          NotIpAddress = {
            "aws:SourceIp" = "8.8.8.8/32"
          }
        }
      },
    ]
  })

  # other required fields here
}