Use the Conformity Knowledge Base AI to help improve your Cloud Posture

S3 Cross Account Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: S3-015

Ensure that all your Amazon S3 buckets are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. Prior to running this rule by the Trend Cloud One™ – Conformity engine, you have to configure the rule and provide the identifiers of the trusted AWS accounts represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) and/or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing untrustworthy cross-account access to your Amazon S3 buckets via bucket policies can lead to unauthorized actions such as viewing, uploading, modifying, or deleting S3 objects. To prevent S3 data exposure, data loss and/or unexpected charges on your AWS bill, you must grant access only to trusted entities by implementing the recommended access policies.


Audit

To determine if there are any Amazon S3 buckets that allow unknown cross-account access, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Bucket policy section, check the policy document to identify the AWS account ID (e.g. 123456789012) and/or the AWS account ARN (e.g. arn:aws:iam::123456789012:root) defined as value(s) for the "Principal" element combined with "Effect": "Allow".

06 Sign in to your Trend Cloud One™ – Conformity account, access the S3 Cross Account Access rule settings, and compare the "Principal" identifier(s) found within the bucket policy verified at the previous step against each identifier listed in the rule configuration section. If the "Principal" identifier does not match any of the trusted account entities defined in the rule configuration section, the cross-account access to the selected Amazon S3 bucket is not secured.

07 Repeat steps no. 3 – 6 for each Amazon S3 bucket that you want to examine, available in your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
    --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
  "cc-prod-web-data",
  "cc-project5-share-data"
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to describe the bucket policy (JSON format) attached to the selected S3 bucket:

aws s3api get-bucket-policy
  --bucket cc-prod-web-data
  --query Policy
  --output text

04 The command output should return the requested bucket policy document:

{
    "Id": "cc-s3-prod-access-policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cc-prod-web-data/*"
        }
    ]
}

Check the policy document returned by the get-bucket-policy command output to identify the AWS account ID (e.g. 123456789012) and/or the AWS account ARN (e.g. arn:aws:iam::123456789012:root) defined as value(s) for the "Principal" element combined with "Effect": "Allow".

05 Sign in to your Trend Cloud One™ – Conformity account, access the S3 Cross Account Access rule settings, and compare the "Principal" identifier(s) found within the bucket policy verified at the previous step against each identifier listed in the rule configuration section. If the "Principal" identifier does not match any of the trusted account entities defined in the rule configuration section, the cross-account access to the selected Amazon S3 bucket is not secured.

06 Repeat steps no. 3 – 5 for each Amazon S3 bucket that you want to examine, available within your AWS cloud account.

Remediation / Resolution

To update the bucket policies associated with your Amazon S3 buckets in order to allow cross-account access only from trusted AWS entities, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Secure Cross Account Access",
    "Resources": {
      "CrossAccountAccessPolicy": {
          "Type": "AWS::S3::BucketPolicy",
          "UpdateReplacePolicy" : "Delete",
          "Properties": {
              "Bucket": "cc-prod-web-data",
              "PolicyDocument": {
                  "Version": "2012-10-17",
                  "Id": "cc-s3-prod-access-policy",
                  "Statement": [
                      {
                          "Effect": "Allow",
                          "Principal": {
                              "AWS": "arn:aws:iam::123412341234:root"
                          },
                          "Action": "s3:*",
                          "Resource": "arn:aws:s3:::cc-prod-web-data/*"
                      }
                  ]
              }
          }
      }
   }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Secure Cross Account Access
Resources:
  CrossAccountAccessPolicy:
    Type: AWS::S3::BucketPolicy
    UpdateReplacePolicy: Delete
    Properties:
      Bucket: cc-prod-web-data
      PolicyDocument:
        Version: '2012-10-17'
        Id: cc-s3-prod-access-policy
        Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::123412341234:root
          Action: s3:*
          Resource: arn:aws:s3:::cc-prod-web-data/*

Using Terraform

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_s3_bucket" "cross-account-bucket" {
  bucket = "cc-prod-web-data"
}

resource "aws_s3_bucket_policy" "cross-account-bucket-policy" {
  bucket = aws_s3_bucket.cross-account-bucket.id

  policy = jsonencode({
    "Id": "s3-prod-access-policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::981005872766:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cc-prod-web-data/*"
        }
     ]
  })
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Bucket policy section, choose Edit to modify the bucket policy attached to the selected bucket.

06 In the Policy editor box, find the non-compliant "Principal" element and replace the unknown (untrusted) AWS account ID or AWS account ARN within the "Principal" element value with the account ID or ARN of the trusted AWS entity, defined in the conformity rule settings. Repeat this step for each unknown AWS entity that you want to replace, in order to implement secure and trustworthy cross-account access. Choose Save changes to apply the changes.

07 Repeat steps no. 3 – 6 for each Amazon S3 bucket configured with unknown cross-account access, available in your AWS cloud account.

Using AWS CLI

01 Modify the policy document attached to the Amazon S3 that you want to reconfigure (see Audit section part II to identify the right S3 resource) and replace the unknown (untrusted) AWS account ID or AWS account ARN within the "Principal" element value with the account ID or ARN of the trusted AWS entity, defined in the conformity rule settings. Save your policy document to a JSON file named cc-cross-account-access-policy.json. The following bucket policy example allows cross-account access to a trusted AWS account identified by the ARN "arn:aws:iam::123412341234:root":

{
    "Id": "cc-s3-prod-access-policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123412341234:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cc-prod-web-data/*"
        }
    ]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) to replace the non-compliant bucket policy attached to the selected Amazon S3 bucket with the policy modified at the previous step (if successful, the command request should not produce an output):

aws s3api put-bucket-policy
  --bucket cc-prod-web-data
  --policy file://cc-cross-account-access-policy.json

03 Repeat step no. 1 and 2 for each Amazon S3 bucket configured with untrusted cross-account access, available within your AWS cloud account.

References

Publication date May 25, 2016