I deployed a NIST CSF conformance pack on my AWS account, via AWS Config, to improve my security posture. One of my resources was non-compliant due to the s3-bucket-policy-grantee-check not passing. Firstly, I do not understand what it means in plain English despite reading it several times (I was hoping someone could simply the language for me even more).
I have the following bucket policy but cannot seem to figure out why I can't get rid of this violation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::cis-alarms-<account-number>"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cis-alarms-<account-number>/AWSLogs/<account-number>/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::cis-alarms-<account-number>",
"arn:aws:s3:::cis-alarms-<account-number>/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
What am I doing wrong?
PS. This is for a bucket that was provisioned when I created a trail on CloudTrail, and it created this bucket as a trail log bucket.
I figured out what was going on. Because I deployed this rule through a conformance pack, I wasn't able to edit the role because it is attached to a service-linked role which prevents any edits/deletes to the rules within the conformance pack. When I deployed the rule on its own and put in the necessary inputs (servicePrincipals & awsPrincipals) it worked like a charm and I was able to get rid of the violation.