S3 bucket policies should not allow all actions for all IAM principals and public users¶
Description¶
S3 bucket policies - and access control policies in general - should not allow wildcard/all actions, except in very specific administrative situations. Allowing all principals to wildcard access is overly permissive.
Console Remediation Steps¶
Navigate to S3.
Select the S3 bucket.
Click the Permissions tab.
Select Bucket Policy.
In the Bucket Policy editor, ensure that wildcard (
*
) actions are not assigned to all (*
) principals.
CLI Remediation Steps¶
Ensure that S3 bucket policies created via CLI do not allow all (
*
) actions for all (*
) principals:aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*"}]}'