Ensure S3 Bucket ACL doesn’t allow public write
ID |
s3_bucket_acl_write_to_all |
Severity |
high |
Vendor |
AWS |
Resource |
S3 |
Tags |
reachable |
Description
Unprotected S3 buckets are possibly the major causes of data leaks in AWS-based systems.
An S3 bucket that allows WRITE access to everyone can provide unintended actors the ability to write data within the bucket, which can lead to S3 data loss, unintended changes to applications using that bucket, and unexpected charges.
The only S3 buckets that should be globally accessible for unauthenticated users or for Any AWS Authenticate Users are those used for hosting static websites.
Read S3 ACL overview for more details on the S3 bucket ACL configuration.
Examples
CloudFormation
{
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite" (1)
}
}
}
}| 1 | AccessControl set to PublicReadWrite means that S3 bucket allow WRITEs from everyone. |
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead (1)| 1 | AccessControl set to PublicReadWrite means that S3 bucket allow WRITEs from everyone. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private" (1)
}
}
}
}| 1 | AccessControl set to Private means that S3 bucket does not allow WRITE permissions to everyone. |
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private (1)| 1 | AccessControl set to Private means that S3 bucket does not allow WRITE permissions to everyone. |