Knowledge Base

Read access to an S3 bucket by authenticated users is unrestricted

Provider: AWS
Service: s3
Severity: High

Description

Historically, access to all Amazon S3 resources was controlled through an access control list (ACL). Now, Amazon recommends that you control S3 access instead by using IAM or S3 bucket policies. By default, only the account owner has access to an S3 bucket and its contents, but you can change the permissions to allow access by any user. If you provide unrestricted read access to a bucket, any authenticated user can list the objects in the bucket. Best practice is always to limit access to only those who require it, so we recommend that you disable public read access unless it is truly required.

Suggested Action

You should limit S3 read access to only those parties who require it.

Compliance:

Framework Name Control # Control Description
nist-sp800-171 Revision 1 3.1.3 Control the flow of CUI in accordance with approved authorizations.
pci-dss 3.2.1 10.1 Implement Audit Trails
eu-gdpr 2016-679 Article-25 Data protection by design and by default

References:


  • You can find best policies for S3 bucket access control at this link
  • You can find instructions for configuring S3 ACLs at this link
  • You can find instructions for public access to S3 buckets at this link