IAM policies should not allow broad list actions on S3 buckets¶
Description¶
Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets
, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.
Remediation Steps¶
AWS Console¶
Navigate to IAM.
In the left navigation, select Policies.
Select the policy that includes S3 list actions, and ensure that broad list actions (
ListBuckets
,S3:List*
,S3:*
) are not included.
AWS CLI¶
Ensure that IAM policies do not include broad S3 list actions:
aws iam update-policy --policy-id PolicyID --policy-document file://policy.json
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:Get*",
"Effect": "Allow",
"Resource": "*"
}
]
}
Terraform¶
Ensure that IAM policy definitions in aws_iam_policy, aws_iam_group_policy, aws_iam_role_policy, and aws_iam_user_policy resources do not contain
policy
statements with the following:Action
= “s3:ListAllMyBuckets”, “s3:*”, or “s3:List*”Effect
= “Allow”Resource
= “*”
Example Configuration¶
resource "aws_iam_group_policy" "example" {
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Deny"
Action = [
"s3:ListAllMyBuckets",
]
Resource = "*"
},
]
})
# other required fields here
}