Ensure that your S3 buckets content permissions cannot be viewed by AWS authenticated accounts or IAM users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to AWS signed users can allow them to examine your S3 Access Control Lists (ACLs) configuration details and find permission vulnerabilities.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Security Granting authenticated “READ_ACP” access to S3 buckets can allow AWS unauthorized users to see who controls your objects and how. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing methods to facilitate access to your S3 data. Cloud Conformity strongly recommends against setting READ_ACP (VIEW PERMISSIONS) ACL permission for the "Any Authenticated AWS User" ACL predefined group in production.
Audit
To determine if your S3 buckets allow READ_ACP access to AWS authenticated users, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:
04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Any Authenticated AWS User". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Any Authenticated AWS User" is an AWS predefined group that allows any authenticated AWS account or IAM user to access the S3 bucket. If the bucket ACL configuration displays the "Any Authenticated AWS User" predefined group with the View Permissions (READ_ACP) permissions enabled:
the selected S3 bucket permissions are clearly exposed to other AWS authenticated users and the bucket is rendered as insecure.
05 Repeat steps no. 3 and 4 for each bucket that you want to examine, available in your AWS account.
Remediation / Resolution
To remove authenticated READ_ACP access for your S3 buckets ACL configuration, you need to perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:
04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Any Authenticated AWS User".
05 Uncheck the View Permissions (READ_ACP) permission applied to "Any Authenticated AWS User":
or delete the predefined group using the x button next to the group permission settings:
06 Click Save to apply the new ACL configuration and remove the bucket authenticated READ_ACP access.
07 Repeat steps no. 3 – 6 for each authenticated “READ_ACP” accessible S3 bucket available in your AWS account.
References
- AWS Documentation
- Amazon S3 FAQs
- Access Control List (ACL) Overview
- Managing ACLs in the AWS Management Console
- Editing Bucket Permissions
- AWS Command Line Interface (CLI) Documentation
- list-buckets
- get-bucket-acl
- put-bucket-acl
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Bucket Authenticated Users 'READ_ACP' Access
Risk level: Very High