Control: S3 bucket ACLs should not be accessible to all authenticated user
Description
This control checks whether AWS S3 bucket ACL allow access to all authenticated users.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.s3_bucket_not_accessible_to_all_authenticated_userSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.s3_bucket_not_accessible_to_all_authenticated_user --shareSQL
This control uses a named query:
with public_acl as ( select distinct name from aws_s3_bucket, jsonb_array_elements(acl -> 'Grants') as grants where grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')select b.arn as resource, case when p.name is null then 'ok' else 'alarm' end status, case when p.name is null then b.title || ' not accessible to all authenticated user.' else b.title || ' accessible to all authenticated user.' end as reason , b.region, b.account_idfrom aws_s3_bucket as b left join public_acl as p on b.name = p.name;