Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your S3 buckets content permissions cannot be viewed by AWS authenticated accounts or IAM users in order to protect against unauthorized access. An S3 bucket that grants READ_ACP (VIEW PERMISSIONS) access to AWS signed users can allow them to examine your S3 Access Control Lists (ACLs) configuration details and find permission vulnerabilities.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Security
Granting authenticated “READ_ACP” access to S3 buckets can allow AWS unauthorized users to see who controls your objects and how. Malicious users can use this information to find S3 objects with misconfigured permissions and implement probing methods to facilitate access to your S3 data. Cloud Conformity strongly recommends against setting READ_ACP (VIEW PERMISSIONS) ACL permission for the "Any Authenticated AWS User" ACL predefined group in production.
To determine if your S3 buckets allow READ_ACP access to AWS authenticated users, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:
04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Any Authenticated AWS User". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Any Authenticated AWS User" is an AWS predefined group that allows any authenticated AWS account or IAM user to access the S3 bucket. If the bucket ACL configuration displays the "Any Authenticated AWS User" predefined group with the View Permissions (READ_ACP) permissions enabled:
the selected S3 bucket permissions are clearly exposed to other AWS authenticated users and the bucket is rendered as insecure.
05 Repeat steps no. 3 and 4 for each bucket that you want to examine, available in your AWS account.
To remove authenticated READ_ACP access for your S3 buckets ACL configuration, you need to perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:
04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Any Authenticated AWS User".
05 Uncheck the View Permissions (READ_ACP) permission applied to "Any Authenticated AWS User":
or delete the predefined group using the x button next to the group permission settings:
06 Click Save to apply the new ACL configuration and remove the bucket authenticated READ_ACP access.
07 Repeat steps no. 3 – 6 for each authenticated “READ_ACP” accessible S3 bucket available in your AWS account.
Unlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
S3 Bucket Authenticated Users 'READ_ACP' Access
Risk level: Very High
|