Ensure that your S3 buckets content permissions cannot be viewed by AWS authenticated accounts or IAM users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to AWS signed users can allow them to examine your S3 Access Control Lists (ACLs) configuration details and find permission vulnerabilities.
Granting authenticated “READ_ACP” access to S3 buckets can allow AWS unauthorized users to see who controls your objects and how. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing methods to facilitate access to your S3 data. Cloud Conformity strongly recommends against setting READ_ACP (VIEW PERMISSIONS) ACL permission for the "Any Authenticated AWS User" ACL predefined group in production.
To determine if your S3 buckets allow READ_ACP access to AWS authenticated users, perform the following:
To remove authenticated READ_ACP access for your S3 buckets ACL configuration, you need to perform the following: