Amazon S3 publicly writable bucket - Vulnerability Database

Amazon S3 publicly writable bucket

Description

Amazon S3 (Simple Storage Service) organizes files into buckets, which are containers accessible via predictable URLs. Each bucket and its objects can have access controls to restrict who can read, write, or delete content.

This vulnerability occurs when an S3 bucket used by the application is configured with public write permissions. This misconfiguration allows any unauthenticated user on the internet to upload new files, modify existing content, or delete objects within the bucket, potentially compromising the integrity and availability of application resources.

Remediation

Immediately restrict write access to the affected S3 bucket by following these steps: 1. Review and update bucket ACLs: - Navigate to the AWS S3 Console and select the affected bucket - Go to the "Permissions" tab and review the Access Control List (ACL) - Remove any grants that provide WRITE or FULL_CONTROL permissions to "Everyone" or "Authenticated Users" 2. Configure bucket policies: - Use bucket policies to explicitly deny public write access - Example policy to prevent public writes: <pre> { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicWrite", "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject", "s3:DeleteObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "YOUR-ACCOUNT-ID" } } } ] } </pre> 3. Enable Block Public Access settings: - In the bucket's "Permissions" tab, enable "Block all public access" unless specific public read access is required 4. Audit existing objects: - Review all objects in the bucket for unauthorized modifications or uploads - Remove any suspicious or unauthorized files 5. Implement least privilege access: - Grant write permissions only to specific IAM users, roles, or services that require them - Use IAM policies rather than bucket ACLs for more granular control