Open menu
-->

AWS S3 Bucket Public 'READ_ACP' Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Very High (not tolerated)

Ensure that your S3 buckets content permissions details cannot be viewed by anonymous users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to everyone can allow unauthorized users to look for the objects ACL (Access Control List) permissions.

This rule resolution is part of the Cloud Conformity Security Package

Granting public “READ_ACP” access to your S3 buckets can allow everyone on the Internet to see who controls your objects. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing techniques to help them gain access to your S3 data. Cloud Conformity strongly recommends against setting READ_ACP (VIEW PERMISSIONS) ACL permission for the “Everyone” grantee (predefined group) in production.

Audit

To determine if your AWS S3 buckets provide ACL permissions information to anonymous users, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu: Properties tab from the S3 dashboard top right menu.

04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Everyone". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Everyone" is an AWS predefined group that allows access to everyone (i.e. anonymous users). If the bucket ACL configuration displays the "Everyone" predefined group with the View Permissions (READ_ACP) permission enabled: http://goo.gl/F003rT, the selected S3 bucket ACL information is publicly accessible and the bucket is rendered vulnerable from the security standpoint.

05 >Repeat steps no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available:

[
    "webapp-status-reports",
     ...
    "webapp-data-repository"
]

03 Run get-bucket-acl command (OSX/Linux/UNIX) to return the access control policy (ACP) for selected S3 bucket:

aws s3api get-bucket-acl
	--bucket webapp-data-repository

04 The command output should display the bucket policy document which contains the AWS users and groups that have access to the bucket and their level of permissions. If the Grantee group URI is equal to “http://acs.amazonaws.com/groups/global/AllUsers” (Everyone) and the permission associate with the group is READ_ACP, the selected S3 bucket ACL information is publicly accessible and the bucket is vulnerable to attacks. The following output example displays an S3 bucket Access Control Policy (ACP) that allows public READ_ACP access to everyone on the Internet:

{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "742f3e57089ec3bd00296f84056525d78415fd5e56dcfda3f8309356e3"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ_ACP"
        }
    ]
}

05 Repeat steps no. 3 and 4 for each AWS S3 bucket that you want to examine.

Remediation / Resolution

To remove public access to your S3 buckets ACL config information (ACL permissions), you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Everyone".

05 Uncheck the View Permissions (READ_ACP) permission applied to "Everyone":

Uncheck the View Permissions (READ_ACP) permission applied to 'Everyone'

or delete the predefined group using the x button next to the group settings:

delete the predefined group using the x button next to the group settings

06 Click Save to apply the new ACL configuration and remove the bucket public READ_ACP access.

07 Repeat steps no. 3 – 6 for each publicly “READ_ACP” accessible S3 bucket available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets available in your account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions:

[
    "webapp-status-reports",
     ...
    "webapp-data-repository"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) using the bucket name as command input parameter, to update permissions and hide the ACL information for the selected S3 bucket (if successful, the command should not return any output):

aws s3api put-bucket-acl
	--bucket webapp-data-repository
	--acl private

04 Repeat step no. 3 for each publicly “READ_ACP” accessible S3 bucket within your AWS account.

References

Publication date May 12, 2016