Skip to main content

lacework-global-99

Ensure the attached S3 bucket policy does not grant global 'Delete' permission

Description

The S3 Bucket policy gives 'Allow' for global 'Delete' permission to everyone. It is best practice to restrict policies to specific actions rather than one global action.

Remediation

Perform the following to remove Delete permissions for everyone from the S3 bucket:

  1. Sign in to the AWS Management Console

  2. Select Services

  3. Select S3

  4. Select an S3 bucket

  5. Select Permissions

  6. Select Edit next to Bucket policy

  7. Locate any statement with Effect value set to 'Allow' with a Principal element set to '' or 'AWS':'' and no conditions

  8. To entirely disable access remove the statement

  9. To limit permissions to specific actions, replace global 'Delete' actions with specific 'Delete' actions

  10. Select Save changes

  11. Repeat steps 4-10 for each bucket requiring updated permissions