Ensure S3 bucket does not allow an action with any Principal

Error: S3 bucket allows an action with any Principal

Bridgecrew Policy ID: BC_AWS_S3_23
Checkov Check ID: CKV_AWS_70
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: MEDIUM

S3 bucket allows an action with any Principal

Description

The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource. In Amazon S3, a Principal is the account or user who is allowed access to the actions and resources in the statement. When added to a bucket policy, the principal is the user, account, service, or other entity that is the recipient of this permission.

When you set the wildcard ("*") as the Principal value you essentially grant permission to everyone. This is referred to as anonymous access. The following statements are all considered Anonymous Permissions.

## Example 1
"Principal":"*"

## Example 2
"Principal":{"AWS":"*"}

## Example 2
"Principal":{"AWS":["*", ...]}

When you grant anonymous access, anyone in the world can access your bucket. It is highly recommend to never grant any kind of anonymous write access to your S3 bucket.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon S3 console.
  3. Select the Permissions tab, then select Bucket Policy.
  4. Remove policies for s3:List actions for principals ''. If necessary, modify the policy instead, to limit the access to specific principals.

Fix - Buildtime

Terraform

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket"

  policy = <<POLICY
{
    "Id": "Policy1597273448050",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::bucket/*",
-           "Principal": "*"
        },
     ...