IAM policies should not allow broad list actions on S3 buckets

Description

Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.

Console Remediation Steps

• Navigate to IAM.

• In the left navigation, select Policies.

• Select the policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.

CLI Remediation Steps

• Ensure that IAM policies do not include broad S3 list actions:

  • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json

policy.json:

{
     "Version": "2012-10-17",
     "Statement": [
        {
        "Action": "s3:Get*",
        "Effect": "Allow",
        "Resource": "*"
     }
   ]
}

Documentation Links

• Amazon S3 Preventative Security Best Practices