S3 bucket policies should not allow all actions for all principals

Description

S3 bucket policies - and access control policies in general - should not allow wildcard/all actions, except in very specific administrative situations. Allowing all principals to wildcard access is overly permissive.

Console Remediation Steps

  • Navigate to S3.

  • Select the S3 bucket.

  • Click the Permissions tab.

  • Select Bucket Policy.

  • In the Bucket Policy editor, ensure that wildcard (*) actions are not assigned to all (*) principals.

CLI Remediation Steps

  • Ensure that S3 bucket policies created via CLI do not allow all (*) actions for all (*) principals:

    • aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*"}]}'