Logo of Trend Micro

S3 Bucket Public 'READ' Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Very High (not tolerated)
Rule ID: S3-001

Ensure that your AWS S3 buckets content cannot be publicly listed in order to protect against unauthorized access. An S3 bucket that grants READ (LIST) access to everyone can allow anonymous users to list the objects within the bucket. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured ACL permissions and access these compromised objects.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Granting public “READ” access to your S3 buckets can allow unauthorized users to list the objects available within the buckets and use this information to gain access to your data. Cloud Conformity strongly recommends against setting READ (LIST) ACL permission for the “Everyone” predefined group in production.

Audit

To determine if your existing AWS S3 buckets allow public READ (LIST) access, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click the Permissions tab and check the Access Control List (ACL) for any grantee named "Everyone". A grantee can be an AWS account or an AWS S3 predefined group. The grantee called "Everyone" is an AWS predefined group that allows access to everyone (i.e. anonymous users). If the bucket ACL configuration does specify the "Everyone" predefined group with the List (READ) permission enabled:

If the bucket ACL configuration does specify the 'Everyone' predefined group with the List (READ) permission enabled

the selected S3 bucket is publicly accessible for content listing and is rendered as insecure.

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets within your account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each S3 bucket available across all AWS regions. The following output example returns an S3 bucket named webapp-data-repository: 

[
    "webapp-data-repository"
]

03 Run get-bucket-acl command (OSX/Linux/UNIX) to return the Access Control Policy (ACP) for selected S3 bucket: 

aws s3api get-bucket-acl
	--bucket webapp-data-repository

04 The command output should display the bucket policy document which contains the AWS users and groups that have access to the bucket and their level of permissions. If the Grantee group URI is equal to “http://acs.amazonaws.com/groups/global/AllUsers” (Everyone) and the permission associated with the group is READ, the selected S3 bucket is publicly accessible for S3 object listing. The following example displays an S3 bucket ACP that allows public READ access to everyone on the Internet: 

{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "658f3e58089ec3bd00296f84056525d78415fd5e56dcfda3f830935d4"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        }
    ]
}

05 Repeat steps no. 3 and 4 for each AWS S3 bucket that you want to examine.

Remediation / Resolution

To remove public READ access from your S3 buckets, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the S3 dashboard top right menu:

Properties tab from the S3 dashboard top right menu

04 In the Properties panel, click Permissions to expand the bucket Access Control List (ACL) configuration tab and search for the grantee (predefined group) named "Everyone". uncheck-the-list-read-permission-applied-to-everyone.png

05 Uncheck the List (READ) permission applied to "Everyone":

Uncheck the List (READ) permission applied to 'Everyone'

or delete the predefined group using the x button next to the group settings:

delete the predefined group using the x button next to the group settings

06 Click Save to apply the new ACL configuration and remove the bucket public READ (LIST) access.

07 Repeat steps no. 3 – 6 for each publicly “READ” accessible S3 bucket available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all existing S3 buckets available in your account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return the name of each existing S3 bucket. The following output example returns one S3 bucket named webapp-data-repository: 

[
    "webapp-data-repository"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) using the bucket name as command input parameter, to update permissions and remove the public READ access for the selected S3 bucket (if successful, the command should not return any output): 

aws s3api put-bucket-acl
	--bucket webapp-data-repository
	--acl private

04 Repeat step no. 3 for each publicly “READ” accessible S3 bucket within your AWS account.

References

Publication date May 11, 2016

Related S3 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

S3 Bucket Public 'READ' Access

Risk level: Very High