S3 bucket policies should not allow all actions for all IAM principals and public users¶
Description¶
S3 bucket policies - and access control policies in general - should not allow wildcard/all actions, except in very specific administrative situations. Allowing all principals to wildcard access is overly permissive.
Remediation Steps¶
AWS Console¶
Navigate to S3.
Select the S3 bucket.
Click the Permissions tab.
Select Bucket Policy.
In the Bucket Policy editor, ensure that wildcard (
*) actions are not assigned to all (*) principals.
AWS CLI¶
Ensure that S3 bucket policies created via CLI do not allow all (
*) actions for all (*) principals:aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*"}]}'
Terraform¶
If a bucket policy is defined in an aws_s3_bucket
policyfield, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:Invalid principals:
"*""AWS": "*"
Invalid action:
"*"
Invalid effect:
Allow
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the
policyfield does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above
Example Configuration¶
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
# other required fields here
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = jsonencode({
Version = "2012-10-17"
Id = "MYBUCKETPOLICY"
Statement = [
{
Sid = "IPAllow"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.b.arn,
"${aws_s3_bucket.b.arn}/*",
]
Condition = {
NotIpAddress = {
"aws:SourceIp" = "8.8.8.8/32"
}
}
},
]
})
# other required fields here
}