IAM policies should not allow broad list actions on S3 buckets

Description

Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.

Remediation Steps

AWS Console

• Navigate to IAM.

• In the left navigation, select Policies.

• Select the policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.

AWS CLI

• Ensure that IAM policies do not include broad S3 list actions:

  • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json

policy.json:

{
     "Version": "2012-10-17",
     "Statement": [
        {
        "Action": "s3:Get*",
        "Effect": "Allow",
        "Resource": "*"
     }
   ]
}

Terraform

• Ensure that IAM policy definitions in aws_iam_policy, aws_iam_group_policy, aws_iam_role_policy, and aws_iam_user_policy resources do not contain policy statements with the following:

  • Action = “s3:ListAllMyBuckets”, “s3:*”, or “s3:List*”

  • Effect = “Allow”

  • Resource = “*”

Example Configuration

resource "aws_iam_group_policy" "example" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Deny"
        Action = [
          "s3:ListAllMyBuckets",
        ]
        Resource = "*"
      },
    ]
  })
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Amazon S3 Preventative Security Best Practices

• Console: Creating IAM Policies

• CLI: Creating IAM Policies

Terraform

• Resource: aws_iam_policy

  • Field: policy

• Resource: aws_iam_group_policy

  • Field: policy

• Resource: aws_iam_role_policy

  • Field: policy

• Resource: aws_iam_user_policy

  • Field: policy