S3.3: Buckets can be written to by anyone on the internet

What does AWS Security Hub S3.3 check?

S3.3 fails any bucket that allows public write access — anyone on the internet can upload, overwrite, or delete objects.

Why does S3.3 matter?

A publicly writable bucket is even more dangerous than a readable one: attackers can plant malware, deface hosted content, rack up storage costs, or overwrite legitimate data. If the bucket serves a website or feeds a pipeline, public write is a direct path to supply-chain compromise.

How do I fix S3.3?

1. Enable Block Public Access on the bucket to stop public writes immediately.
2. Strip any policy statements or ACL grants that give write/PutObject/DeleteObject to Principal "*".
3. Grant uploads only to specific authenticated roles, ideally scoped to a prefix and protected with conditions.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'