Skip to main content

lacework-global-133

Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL]

Description

The S3 bucket ACL gives 'Everyone' permission to write [or re-write] the bucket ACL. It is best practice to restrict WRITE_ACP permission to only principals who require it.

Note: S3 buckets created with the default/recommended AWS settings have ACLs disabled and will therefore be compliant with this policy.

Remediation

Perform the following to revoke WRITE_ACP permission for 'Everyone':

  1. Sign in to the AWS Management Console

  2. Select Services

  3. Select S3

  4. Select the bucket to change

  5. Navigate to Permissions

  6. Navigate to Access Control List and select Edit

  7. Against Everyone (public access), uncheck 'Write' under Bucket ACL

  8. Select Save changes

  9. Repeat steps 4-8 for each bucket requiring updated permissions