Ensure that your AWS S3 buckets are not publicly accessible via bucket policies in order to protect against unauthorized access. Allowing unrestricted access through bucket policies gives everyone the ability to list the objects within the bucket (ListBucket), download objects (GetObject), upload/delete objects (PutObject, DeleteObject), view objects permissions (GetBucketAcl), edit objects permissions (PutBucketAcl) and more. Cloud Conformity strongly recommends using bucket policies to limit the access to a particular AWS account (friendly account) instead of providing public access to everyone on the Internet.
Granting public access to your S3 buckets via bucket policies can allow malicious users to view, get, upload, modify and delete S3 objects, actions that can lead to data loss and unexpected charges on your AWS bill.
To determine if your Amazon S3 buckets allow unauthorized public access via bucket policies, perform the following:
To restrict access to your publicly accessible S3 buckets via bucket policies, perform the following: