IAM policies should not allow broad list actions on S3 buckets


Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.

Console Remediation Steps

  • Navigate to IAM.

  • In the left navigation, select Policies.

  • Select the policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.

CLI Remediation Steps

  • Ensure that IAM policies do not include broad S3 list actions:

    • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json


     "Version": "2012-10-17",
     "Statement": [
        "Action": "s3:Get*",
        "Effect": "Allow",
        "Resource": "*"