Knowledge Base

An S3 bucket is configured to allow access control changes from any authenticated user

Provider: AWS
Service: s3
Severity: High

Description

Historically, access to all Amazon S3 resources was controlled through an access control list (ACL). Now, Amazon recommends that you control S3 access instead by using IAM or S3 bucket policies. By default, only the account owner has access to an S3 bucket and its contents, but you can change the permissions to allow access by any authenticated user. If you provide unrestricted ability to change the bucket ACL, any AWS user can edit the permissions on objects in the bucket. Public control of bucket permissions is never appropriate, so we recommend that you disable "Write ACP" access.

Suggested Action

You should only allow trusted users to make bucket ACL changes.

Compliance:

Framework Name Control # Control Description
nist-sp800-171 Revision 1 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

References:


  • You can find best policies for S3 bucket access control at this link
  • You can find instructions for public access to S3 buckets at this link