Ensure Bucket ACL Does Not Grant FULL_CONTROL Permission to AWS Users Rule
This rule ensures that bucket ACL does not provide FULL_CONTROL permission to AWS users.
| Rule | Ensure bucket ACL does not grant FULL_CONTROL permission to AWS users |
| Framework | CloudDefense.AI Security |
| Severity | ✔ Critical |
Rule Description:
The rule ensures that the Access Control List (ACL) for the bucket does not grant FULL_CONTROL permission to any AWS users for the CloudDefense service. This is important to maintain the security and privacy of the sensitive data stored in the bucket.
Troubleshooting Steps:
If there are any issues related to the bucket ACL granting FULL_CONTROL permission to the CloudDefense service, follow these troubleshooting steps:
- 1.
Validate CloudDefense IAM Role: Confirm that the CloudDefense IAM role is correctly configured and has the necessary permissions to access the bucket. Verify if the CloudDefense IAM role has been mistakenly granted FULL_CONTROL permission.
- 2.
Check Bucket ACL: Examine the bucket's ACL to determine if any AWS users or groups, including the CloudDefense service, have been granted FULL_CONTROL permission.
- 3.
Review Bucket Policies: Check if there are any bucket policies that override or conflict with the bucket's ACL settings. Ensure that the policies do not grant FULL_CONTROL permission to the CloudDefense service.
- 4.
Audit User Permissions: Perform an audit of AWS user permissions to identify any users who have been granted access to the bucket and check if FULL_CONTROL permission has been granted unintentionally.
Remediation Steps:
To remediate the issue and ensure that the bucket ACL does not grant FULL_CONTROL permission to the CloudDefense service, follow these steps:
- 1.
Identify the AWS account and region where the bucket is located.
- 2.
Open the AWS Management Console and navigate to the Amazon S3 service.
- 3.
Find and select the specific bucket in question.
- 4.
Click on the "Permissions" tab in the bucket detail view.
- 5.
Review the "Access control list (ACL)" section and check if any entries grant FULL_CONTROL permission to the CloudDefense service.
- 6.
If there are any entries found, select the entry and click on the "Edit" button.
- 7.
Remove the permission for FULL_CONTROL from the CloudDefense service. Save the changes.
- 8.
Confirm that the ACL no longer grants FULL_CONTROL permission to the CloudDefense service.
- 9.
Additionally, review and update any relevant bucket policies to ensure they are not conflicting with the desired ACL settings.
- 10.
Perform regular checks to validate that the bucket ACL remains in compliance by repeating the previous steps periodically.
Code Example:
Example CLI command to modify the bucket ACL and remove FULL_CONTROL permission for the CloudDefense service:
aws s3api put-bucket-acl --bucket <bucket_name> --grant-full-control id=<CloudDefense_service_principal_ID>
Replace
<bucket_name><CloudDefense_service_principal_ID>It's important to note that the CloudDefense_service_principal_ID should be replaced with the specific IAM user or role associated with the CloudDefense service.