<  Back to rules search

S3 bucket does not allow anonymous users to modify access control permissions

s3

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Modify your access control permissions to remove WRITE_ACP access for anonymous users.

Rationale

Public WRITE_ACP access gives anonymous users READ and WRITE Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.

Remediation

Console

Follow the Controlling access to a bucket with user policies docs to edit your existing policy and set the policy permissions to private.

CLI

  1. Run put-bucket-acl with your S3 bucket name and the ACL set to private.

put-bucket-acl.sh

  aws s3api get-bucket-acl
    --bucket your-bucket-name
    --acl private