Ensure that your AWS S3 buckets content cannot be publicly listed in order to protect against unauthorized access. An S3 bucket that grants READ (LIST) access to everyone can allow anonymous users to list the objects within the bucket. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured ACL permissions and access these compromised objects.
Granting public “READ” access to your S3 buckets can allow unauthorized users to list the objects available within the buckets and use this information to gain access to your data. Cloud Conformity strongly recommends against setting READ (LIST) ACL permission for the “Everyone” predefined group in production.
To determine if your existing AWS S3 buckets allow public READ (LIST) access, perform the following:
To remove public READ access from your S3 buckets, you need to perform the following: