Skip to main content

S3 Bucket Allows Cross Account Access

Overview

This check inspects S3 bucket policies to identify any cross-account access that is not known and trusted. The check does so by comparing all cross-account "Allow" permissions in a bucket policy against a configurable list of known trusted accounts / users / service principals and reporting any that do not match.

This check is configurable to allow the following cross-account access to be considered trusted:

  • All AWS Account IDs included in the Cloud Defense project tree
  • Designated AWS accounts
  • Federated Users
  • Designated AWS services (Service Principals)

You can configure trusted accounts in the Root project's Trusted AWS Accounts setting, as well as choose to include all AWS Account IDs in the Cloud Defense project tree.

Vendor

AWS

Cloud Service

S3

Input

{"trustAllConnectedAccounts":{"label":"Trust All Known Accounts","value":true,"type":"boolean","helpText":"If true, all AWS Accounts known to Cloud Defense will be trusted and therefore ignored if found by this check, in addition to any accounts in Trusted Accounts."},"trustedAccountIds":{"label":"Trusted AWS Account IDs","helpText":"A list of AWS Account IDs to trust and therefore ignore if found by this check.","value":[],"type":"string[]"},"skipCanonical":{"label":"Ignore All Canonical Principals","value":false,"type":"boolean"},"trustedCanonicalIds":{"label":"Ignore Only Listed Canonical Principals","helpText":"A list of trusted AWS Canonical Principals to ignore","value":[],"type":"string[]"},"skipFederated":{"label":"Ignore All Federated Principals","value":false,"type":"boolean"},"trustedFederatedUsers":{"label":"Ignore All Federated Principals","helpText":"A list of trusted federated web identity and SAML principals to ignore","value":[],"type":"string[]"},"skipService":{"label":"Ignore All Service Principals","value":true,"type":"boolean","helpText":"Ignore Service Principals, e.g. \"Principal\": { \"Service\": \"cloudtrail.amazonaws.com\" }"},"trustedServices":{"label":"Trusted AWS Services","helpText":"A list of trusted AWS Services, e.g. cloudtrail.amazonaws.com","value":[],"type":"string[]"}}

Severity

3

Item Types

AWS::S3::Bucket