🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted

Description

This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket.

Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker.

The blacklistedactionpatterns parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the blacklistedactionpatterns list.

Remediation

To remediate this issue, edit the S3 bucket policy to remove the permissions.

To edit an S3 bucket policy

  1. Open the Amazon S3 console.
  2. In the Bucket name list, choose the name of the S3 bucket for which you want to edit the policy.
  3. Choose Permissions, and then choose Bucket Policy.
  4. In the Bucket policy editor text box, do one of the following:
    • Remove the statements that grant access to denied actions to other AWS accounts
    • Remove the permitted denied actions from the statements
  5. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_6 --share

SQL

This control uses a named query:

with cross_account_buckets as (
  select
    distinct arn
  from
    aws_s3_bucket,
    jsonb_array_elements(policy_std -> 'Statement') as s,
    jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
    string_to_array(p, ':') as pa,
    jsonb_array_elements_text(s -> 'Action') as a
  where
    s ->> 'Effect' = 'Allow'
    and (
      pa [5] != account_id
      or p = '*'
    )
    and a in (
      's3:deletebucketpolicy',
      's3:putbucketacl',
      's3:putbucketpolicy',
      's3:putencryptionconfiguration',
      's3:putobjectacl'
    )
)
select
  a.arn as resource,
  case
    when b.arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.arn is null then title || ' restricts cross-account bucket access.'
    else title || ' allows cross-account bucket access.'
  end as reason
  
  , a.region, a.account_id
from
  aws_s3_bucket a
  left join cross_account_buckets b on a.arn = b.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = sensitive_api_operations_actions_restricted
foundational_security_item_id = s3_6
plugin = aws
service = AWS/S3