| Plugin Title | S3 Bucket All Users ACL |
| Cloud | AWS |
| Category | S3 |
| Description | Ensures S3 buckets do not allow global write, delete, or read ACL permissions |
| More Info | S3 buckets can be configured to allow anyone, regardless of whether they are an AWS user or not, to write objects to a bucket or delete objects. This option should not be configured unless there is a strong business requirement. |
| AWS Link | http://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html |
| Recommended Action | Disable global all users policies on all S3 buckets and ensure both the bucket ACL is configured with least privileges. |
- Log into the AWS Management Console.
- Select the "Services" option and search for S3.
- Scroll down the left navigation panel and choose "Buckets".
- Select the "Bucket" that needs to be verified and click on its identifier(name) from the "Bucket name" column.
- Click on the "Permissions" tab on the top menu.
- Check the "Acess Control List" option under "Permissions" and scroll down the configuration page and check the "Public access". If "Read bucket permissions" , "Write objects" , "List objects" and "Write bucket permissions" are set to "Yes" then the selected S3 bucket allows global write, delete, or read ACL permissions.
- Repeat steps number 2 - 6 to verify other S3 buckets in the region.
- Select the "S3 bucket" on which global access needs to be disabled and click on the "Permissions" tab.
- Scroll down the "Acess Control List" configuration page and under "Public access" click on the "Everyone" and uncheck the checkboxes against "Read bucket permissions" , "Write objects" , "List objects" and "Write bucket permissions".
- Click on the "Save" button to make the necessary changes.
- Repeat steps number 8 - 10 to diable global write, delete, or read ACL permissions in other S3 buckets.
