S3 bucket policies should not allow all actions for all principals

Description

S3 bucket policies - and access control policies in general - should not allow wildcard/all actions, except in very specific administrative situations. Allowing all principals to wildcard access is overly permissive.

Console Remediation Steps

• Navigate to S3.

• Select the S3 bucket.

• Click the Permissions tab.

• Select Bucket Policy.

• In the Bucket Policy editor, ensure that wildcard (*) actions are not assigned to all (*) principals.

CLI Remediation Steps

• Ensure that S3 bucket policies created via CLI do not allow all (*) actions for all (*) principals:

  • aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*"}]}'

Documentation Links

• Using bucket policies for access control

• S3 Command Line Reference