IAM roles attached to instance profiles should not allow broad list actions on S3 buckets¶
Description¶
Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. To prevent compromised EC2 instances from being able to effectively survey all S3 buckets and potentially access sensitive data, trust policies attached to instance profiles should not allow broad list actions on S3 buckets, such as ListAllBuckets
.
Console Remediation Steps¶
CLI Remediation Steps¶
Ensure that IAM policies attached to IAM roles associated with instance profiles do not include broad S3 list actions:
aws iam update-policy --policy-id PolicyID --policy-document file://policy.json
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:Get*",
"Effect": "Allow",
"Resource": "*"
}
]
}