S3 bucket policies should not allow list actions for all IAM principals and public users


S3 bucket policies list actions enable users to enumerate information on an organization’s S3 buckets and objects. Malicious actors may use this information to identify potential targets for hacks. Users should scope list actions only to users and roles that require this information - not all principals.

Console Remediation Steps

  • Navigate to S3.

  • Select the S3 bucket.

  • Click the Permissions tab.

  • Select Bucket Policy.

  • In the Bucket Policy editor, ensure that list actions are not assigned to all (*) principals.

CLI Remediation Steps

  • Ensure that S3 bucket policies created via CLI do not allow list actions for all (*) principals:

    • aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:List*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*"}]}'