lacework-global-136
Ensure the bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects]
Description
The S3 bucket ACL gives any authenticated AWS user permission to create, write and delete objects in the bucket. It is best practice to restrict WRITE permission to only principals who require it.
Note: S3 buckets created with the default/recommended AWS settings have ACLs disabled and will therefore be compliant with this policy.
Remediation
Perform the following to revoke WRITE permission for all AWS users:
Sign in to the AWS Management Console
Select Services
Select S3
Select the bucket to change
Navigate to Permissions
Navigate to Access Control List and select Edit
Against Authenticated users group (anyone with an AWS account), uncheck 'Write' under Objects
Select Save changes
Repeat steps 4-8 for each bucket requiring updated permissions