S3 buckets should not be publicly readable

Description

S3 buckets should not be publicly readable. A bucket with a public ACL or bucket policy is exposed to the entire internet if all block public access settings are disabled at the resource and account level. This poses a critical security vulnerability, as any AWS user or anonymous user can access the data in the bucket.

Console Remediation Steps

  • Navigate to S3.

  • Select the S3 bucket.

  • Select Permissions > Access Control List.

  • In Public access, select Everyone and uncheck:

    • List objects

    • Write objects

    • Read bucket permissions

    • Write bucket permissions

  • Click Save.

  • Select Bucket Policy.

  • Navigate to S3.

  • In the left navigation, select Block public access (account settings).

  • Click Edit.

  • Check the Block all public access checkbox.

  • Click Save Changes.

  • Enter confirm and click confirm.

CLI Remediation Steps

To make an S3 bucket not publicly accessible:

aws s3api put-bucket-acl \
    --bucket fugue-bucket-example --acl private
aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"