AWS S3 buckets are accessible to any authenticated user
Description
This policy identifies S3 buckets accessible to any authenticated AWS users. Amazon S3 allows customer to store and retrieve any type of content from anywhere in the web. Often, customers have legitimate reasons to expose the S3 bucket to public, for example to host website content. However, these buckets often contain highly sensitive enterprise data which if left accessible to anyone with valid AWS credentials, may result in sensitive data leaks.
Code Example
yaml
resource "aws_s3_bucket_acl" "fail_1" {
bucket = "name"
access_control_policy {
grant {
grantee {
id = "52b113e7a2f25102679df27bb0ae12b3f85be6"
type = "CanonicalUser"
}
permission = "READ"
}
grant {
grantee {
type = "Group"
- uri = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
}
permission = "READ_ACP"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0477 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV2_AWS_43 |