Ensure that your S3 buckets content permissions cannot be viewed by AWS authenticated accounts or IAM users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to AWS signed users can allow them to examine your S3 Access Control Lists (ACLs) configuration details and find permission vulnerabilities.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting authenticated “READ_ACP” access to S3 buckets can allow AWS unauthorized users to see who controls your objects and how. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing methods to facilitate access to your S3 data. Cloud Conformity strongly recommends against setting READ_ACP (VIEW PERMISSIONS) ACL permission for the "Any Authenticated AWS User" ACL predefined group in production.
Audit
To determine if your S3 buckets allow READ_ACP access to AWS authenticated users, perform the following:
Remediation / Resolution
To remove authenticated READ_ACP access for your S3 buckets ACL configuration, you need to perform the following:
References
- AWS Documentation
- Amazon S3 FAQs
- Access Control List (ACL) Overview
- Managing ACLs in the AWS Management Console
- Editing Bucket Permissions
- AWS Command Line Interface (CLI) Documentation
- list-buckets
- get-bucket-acl
- put-bucket-acl
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Bucket Authenticated Users 'READ_ACP' Access
Risk level: Very High