<  Back to rules search

S3 bucket ACL is not viewable by all authenticated users

s3

Description

Update your ACL permission to remove READ_ACP access for authenticated AWS accounts and AWS IAM users.

Rationale

AWS authenticated accounts and users with READ_ACP access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.

Remediation

From the console

Follow the Configuring ACLs: Using the S3 console to set ACL permissions for a bucket docs to remove READ_ACP access for AWS signed users.

From the command line

  1. Run put-bucket-acl with your Amazon S3 bucket name and ACL set to private.

put-bucket-acl.sh

  aws s3api put-bucket-acl
    --bucket your-s3-bucket-name
    --acl private