IAM policies should not allow broad list actions on S3 buckets

Description

Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.

Remediation Steps

AWS Console

  • Navigate to IAM.

  • In the left navigation, select Policies.

  • Select the policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.

AWS CLI

  • Ensure that IAM policies do not include broad S3 list actions:

    • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json

policy.json:

{
     "Version": "2012-10-17",
     "Statement": [
        {
        "Action": "s3:Get*",
        "Effect": "Allow",
        "Resource": "*"
     }
   ]
}

Terraform

Example Configuration

resource "aws_iam_group_policy" "example" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Deny"
        Action = [
          "s3:ListAllMyBuckets",
        ]
        Resource = "*"
      },
    ]
  })
  # other required fields here
}