Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub
Loading controls...

Control: 6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted

Description

This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket.

Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker.

The blacklistedactionpatterns parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the blacklistedactionpatterns list.

Remediation

To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

  1. Open the Amazon S3 console.
  2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
  3. Choose Permissions, and then choose Bucket Policy.
  4. In the Bucket policy editor text box, do one of the following:
    • Remove the statements that grant access to denied actions to other AWS accounts
    • Remove the permitted denied actions from the statements
  5. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_6 --share

SQL

This control uses a named query:

s3_bucket_policy_restricts_cross_account_permission_changes

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = sensitive_api_operations_actions_restricted
foundational_security_item_id = s3_6
plugin = aws
service = AWS/S3