Read access to an S3 bucket by authenticated users is unrestricted
Historically, access to all Amazon S3 resources was controlled through an access control list (ACL). Now, Amazon recommends that you control S3 access instead by using IAM or S3 bucket policies. By default, only the account owner has access to an S3 bucket and its contents, but you can change the permissions to allow access by any user. If you provide unrestricted read access to a bucket, any authenticated user can list the objects in the bucket. Best practice is always to limit access to only those who require it, so we recommend that you disable public read access unless it is truly required.
You should limit S3 read access to only those parties who require it.
|Framework Name||Control #||Control Description|
|nist-sp800-171 Revision 1||3.1.3||Control the flow of CUI in accordance with approved authorizations.|
|pci-dss 3.2.1||10.1||Implement Audit Trails|
|eu-gdpr 2016-679||Article-25||Data protection by design and by default|