IAM policies should not allow broad list actions on S3 buckets¶
Description¶
Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets
, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.
Console Remediation Steps¶
Navigate to IAM.
In the left navigation, select Policies.
Select the policy that includes S3 list actions, and ensure that broad list actions (
ListBuckets
,S3:List*
,S3:*
) are not included.
CLI Remediation Steps¶
Ensure that IAM policies do not include broad S3 list actions:
aws iam update-policy --policy-id PolicyID --policy-document file://policy.json
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:Get*",
"Effect": "Allow",
"Resource": "*"
}
]
}