<  Back to rules search

S3 bucket objects cannot be listed by all authenticated users

s3

Description

Update your ACL permission to remove READ access for authenticated AWS accounts or IAM users.

Rationale

READ access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.

Remediation

From the console

Follow the Configuring ACLs: Using the S3 console to set ACL permissions for a bucket docs to deselect the Bucket ACL - Read permission and update ACL permissions.

From the command line

  1. Run put-bucket-acl with your bucket name and ACL to private.

put-bucket-acl.sh

  aws s3api put-bucket-acl
    --bucket your-s3-bucket-name
    --acl private