Knowledge Base

An S3 bucket is configured so that authenticated users have unrestricted permisions

Provider: AWS
Service: s3
Severity: High


Historically, access to all Amazon S3 resources was controlled through an access control list (ACL). Now, Amazon recommends that you control S3 access instead by using IAM or S3 bucket policies. By default, only the account owner has access to an S3 bucket and its contents, but you can change the permissions to allow access by any user. If you provide unrestricted access to a bucket, any authenticated user can modify existing objects, add objects to the bucket, or change permissions on the bucket and its contents. Best practice is always to limit access to only those who require it, so we recommend that you disable public access unless it is truly required.

Suggested Action

You should limit S3 public access to only those parties who require it.


Framework Name Control # Control Description
nist-sp800-171 Revision 1 3.1.3 Control the flow of CUI in accordance with approved authorizations.
pci-dss 3.2.1 10.1 Implement Audit Trails
eu-gdpr 2016-679 Article-25 Data protection by design and by default


  • You can find best policies for S3 bucket access control at this link
  • You can find instructions for configuring S3 ACLs at this link
  • You can find instructions for public access to S3 buckets at this link