0

I have a security issue raised by Trusted Advisor.

**S3 permissions granted to other AWS accounts in bucket policies should be restricted **

This checks if the S3 bucket policy allows sensitive bucket-level or object-level actions from a principal in another AWS account. The check fails if any of the following actions are allowed in the S3 bucket policy for a principal in another AWS account: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutObjectAcl, and s3:PutEncryptionConfiguration.

I have an S3 bucket that is failing to comply this check. It has a bunch of statements in its bucket policy. The one that is causing the security check to fail is the following :

{
    "Sid": "AllowAppFlowDestinationActions",
    "Effect": "Allow",
    "Principal": {
        "Service": "appflow.amazonaws.com"
    },
    "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads",
        "s3:GetBucketAcl",
        "s3:PutObjectAcl"
    ],
    "Resource": [
        "arn:aws:s3:::qa-abhra",
        "arn:aws:s3:::qa-abhra/*"
    ],
    "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "account_number"
        },
        "ArnLike": {
            "aws:SourceArn": [
                "arn:aws:appflow:us-east-1:account_number:flow/contacts",
                "arn:aws:appflow:us-east-1:account_number:flow/account"
            ]
        }
    }
}

I understand the Service associated in the statement is not tied to an AWS account. But I have been able to mention the condition and ArnLike in the statement above as suggested in the docs Why am I still getting the same security alert from Trusted Advisor? What can I do to fix the issue?

ab_padfoot
  • 63
  • 1
  • 10

1 Answers1

0

It would appear that the alert is caused by s3:PutObjectAcl.

Are you sure that you need to provide this permission? It can be used to "set the access control list (ACL) permissions for a new or existing object in an S3 bucket".

For example, it could be used to change a 'private' object into a 'public' object.

It could be safer not to provide this permission. The external service can set the ACL when it creates an object. There should be no need for it to change the ACL after the object has been created.

However, if you feel that the permissions are fine as-is, you can tell Trusted Advisor to exclude that item.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I can confirm that removing the s3:PutObjectAcl has fixed the alert to go off. I just have a follow-up question. It would be great if you help me understand if with the above statement I was able to tie the Service to a particular AWS account? It seems the alert went off because I removed the action mentioned and the bucket policy still has allowed access of Principals in another AWS accounts. – ab_padfoot Feb 21 '23 at 11:08
  • No idea! I was just basing my recommendation on the description you provided in the question. – John Rotenstein Feb 21 '23 at 11:13