Ensure that all your Amazon S3 buckets are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. Prior to running this rule by the Trend Cloud One™ – Conformity engine, you have to configure the rule and provide the identifiers of the trusted AWS accounts represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) and/or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing untrustworthy cross-account access to your Amazon S3 buckets via bucket policies can lead to unauthorized actions such as viewing, uploading, modifying, or deleting S3 objects. To prevent S3 data exposure, data loss and/or unexpected charges on your AWS bill, you must grant access only to trusted entities by implementing the recommended access policies.
Audit
To determine if there are any Amazon S3 buckets that allow unknown cross-account access, perform the following actions:
Remediation / Resolution
To update the bucket policies associated with your Amazon S3 buckets in order to allow cross-account access only from trusted AWS entities, perform the following actions:
References
- AWS Documentation
- Amazon S3 FAQs
- Bucket policies and user policies
- Policies and Permissions in Amazon S3
- Bucket Policy Examples
- Identity and access management in Amazon S3
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-policy
- put-bucket-policy
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider