Publicly accessible EC2 instance has access to an S3 bucket with sensitive data

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

A publicly accessible EC2 instance has a role that allows access to an S3 bucket containing sensitive data. This could lead to data exfiltration or data leakage. Sensitive data could include personally identifiable information (PII), credentials, financial information, and network or device information. For more details on how sensitive data is detected, see the official documentation.

Remediation

  1. Assess whether this instance needs to be accessible from the internet. If not, restrict access to the instance by updating the security group or network ACL to only allow access from trusted sources.
  2. Restrict access to the S3 bucket containing sensitive data to only the necessary users or roles by reviewing IAM policies and bucket resource policies. For more information on restricting access to an S3 bucket, see the official documentation.