How to fix s3-bucket-policy-grantee-check non-compliance?

Question

I deployed a NIST CSF conformance pack on my AWS account, via AWS Config, to improve my security posture. One of my resources was non-compliant due to the s3-bucket-policy-grantee-check not passing. Firstly, I do not understand what it means in plain English despite reading it several times (I was hoping someone could simply the language for me even more).

I have the following bucket policy but cannot seem to figure out why I can't get rid of this violation:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::cis-alarms-<account-number>"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::cis-alarms-<account-number>/AWSLogs/<account-number>/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AllowSSLRequestsOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::cis-alarms-<account-number>",
                "arn:aws:s3:::cis-alarms-<account-number>/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

What am I doing wrong?

PS. This is for a bucket that was provisioned when I created a trail on CloudTrail, and it created this bucket as a trail log bucket.

Answer 1

The issue is indeed that you need to set the correct principles on the Config Rule. It is possible to configure these settings on the AWS Conformance Pack using Cloudformation using the InputParameters property. For example:

ConformancePackCis:
  Type: AWS::Config::ConformancePack
  Properties:
    ConformancePackName: CISAWSFoundationsBenchmarkLevel2
    TemplateBody: !Sub |-
      Resources:
        S3BucketPolicyGranteeCheck:
          Properties:
            ConfigRuleName: s3-bucket-policy-grantee-check
            InputParameters:
              servicePrincipals: "logging.s3.amazonaws.com"
              awsPrincipals: "${AWS::AccountId},arn:aws:iam::cloudfront:user/*"
            Scope:
              ComplianceResourceTypes:
              - AWS::S3::Bucket
            Source:
              Owner: AWS
              SourceIdentifier: S3_BUCKET_POLICY_GRANTEE_CHECK
          Type: AWS::Config::ConfigRule

Answer 2

I figured out what was going on. Because I deployed this rule through a conformance pack, I wasn't able to edit the role because it is attached to a service-linked role which prevents any edits/deletes to the rules within the conformance pack. When I deployed the rule on its own and put in the necessary inputs (servicePrincipals & awsPrincipals) it worked like a charm and I was able to get rid of the violation.