S3 Bucket has allowed access for all principals
ID |
aws_s3_allow_all_principals |
Severity |
critical |
Vendor |
AWS |
Resource |
IAM |
Tags |
asvs50-v8.2.1, reachable |
Description
S3 Bucket has allowed access for all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. You have the configuration Effect=Allow and Principal is "*".
Learn more about this topic at AWS S3 Bucket policy.
Examples
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutBucket",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}Mitigation / Fix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutBucket",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}