S3 Bucket has all actions allowed for any principal
ID |
aws_s3_bucket_permissions |
Severity |
critical |
Vendor |
AWS |
Resource |
IAM |
Tags |
asvs50-v8.2.1, reachable |
Description
S3 Bucket has all actions allowed for any principal. The policy configured has access to all actions for any users. You have the configuration Effect=Allow, Action="*".
To fix it, you must configure the actions that allow access in the Action property.
Learn more about this topic at AWS S3 Bucket policy.
Examples
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "*",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}Mitigation / Fix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}