S3 Bucket has allowed List Action from all principals
ID |
aws_s3_allow_list |
Severity |
high |
Vendor |
AWS |
Resource |
IAM |
Tags |
reachable |
Description
S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. You have the configuration Effect=Allow and Action is List for all Principals.
Learn more about this topic at AWS S3 Bucket policy.
Examples
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}Mitigation / Fix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::targetBucketName",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}