AWS S3 bucket access control lists (ACLs) in use
Description
Amazon S3 Access Control Lists (ACLs) allow users to specify granular permissions on S3 objects. While they provide flexible permission options, they can also be a source of misconfigurations that could lead to unintended data exposure.
Enabling the bucket ownership controls with the `BucketOwnerEnforced` rule ensures that only the bucket owner has access to the S3 objects, thus effectively disabling any public ACL permissions. Ensuring that ACLs for S3 buckets are disabled reduces the risk of unintended data exposure, especially when there are multiple AWS accounts.
Code Example
go
resource "aws_s3_bucket_ownership_controls" "example" {
bucket = aws_s3_bucket.example.bucket
rule {
+ object_ownership = "BucketOwnerEnforced"
}
}Remediation
Terraform
- Resource: aws_s3_bucket_ownership_controls
- Arguments: rule.object_ownership
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0499 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_65 |