AWS Config Rule: S3 Bucket Blacklisted Actions Prohibited

Description: Checks if an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.

Note: the rule will only check for entities in the Principal property and does not take into account any conditionals under the Condition property in a policy

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Hyderabad), Europe (Spain) Region

This config rule checks wether an S3 bucket policy restricts specific actions coming from other AWS accounts. The rule will be marked as non-compliant if a policy is found containing any of the blacklisted actions.

For this particular Config Rule, you need to define from the StackZone Console, one or more actions to include in the blacklist.

Check the following screenshot in which we define s3:DeleteObject as a prohibited action for a policy, that will be evaluated by AWS Config against the different buckets:

In order to resolve this, you need either to remove the Bucket Policy from the bucket or edit the policy to avoid using one of the prohibited actions.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here