AWS S3 bucket ACL grants READ permission to everyone
Description
Unprotected S3 buckets are one of the major causes of data theft and intrusions. An S3 bucket that allows READ access to everyone can provide attackers the ability to read object data within the bucket, which can lead to the exposure of sensitive data. The only S3 buckets that should be globally accessible for unauthenticated users or for Any AWS Authenticate Users are those used for hosting static websites.A bucket ACL helps manage access to S3 bucket data. We recommend ensuring AWS S3 buckets are not publicly accessible for READ actions to protect S3 data from unauthorized users and exposing sensitive data to public access.
Code Example
terraform
resource "aws_s3_bucket_acl" "data" {
bucket = aws_s3_bucket.private_acl_v4.id
- acl = "public-read"
+ acl = "private"
}Remediation
Terraform
- Resource: aws_s3_bucket, aws_s3_bucket_acl
- Arguments: acl
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0074 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_20 |