Ensure that your AWS S3 buckets content cannot be publicly listed in order to protect against unauthorized access. An S3 bucket that grants READ (LIST) access to everyone can allow anonymous users to list the objects within the bucket. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured ACL permissions and access these compromised objects.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting public “READ” access to your S3 buckets can allow unauthorized users to list the objects available within the buckets and use this information to gain access to your data. Cloud Conformity strongly recommends against setting READ (LIST) ACL permission for the “Everyone” predefined group in production.
Audit
To determine if your existing AWS S3 buckets allow public READ (LIST) access, perform the following:
Remediation / Resolution
To remove public READ access from your S3 buckets, you need to perform the following:
References
- AWS Documentation
- Amazon S3 FAQs
- Amazon S3 Bucket Public Access Considerations
- Access Control List (ACL) Overview
- Managing ACLs in the AWS Management Console
- Editing Bucket Permissions
- AWS Command Line Interface (CLI) Documentation
- list-buckets
- get-bucket-acl
- put-bucket-acl
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
S3 Bucket Public 'READ' Access
Risk level: Very High