S3 bucket policies and ACLs should not be configured for public read access

Description

S3 bucket policies and ACLs should not be configured for public read access. It is a security risk for a bucket to have an ACL or bucket policy that is configured for public read access, even if the bucket itself is not currently public. A bucket configured for public read access can potentially be made public, allowing any AWS user or anonymous user to access the data in it.

Console Remediation Steps

• Navigate to S3.

• Select the S3 bucket.

• Select Permissions > Access Control List.

• In Public access, select Everyone and uncheck:

  • List objects

  • Write objects

  • Read bucket permissions

  • Write bucket permissions

• Click Save.

• Navigate to S3.

• In the left navigation, select Block public access (account settings).

• Click Edit.

• Check the Block all public access checkbox.

• Click Save Changes.

• Enter confirm and click confirm.

CLI Remediation Steps

To make an S3 bucket not publicly accessible:

aws s3api put-bucket-acl \
    --bucket fugue-bucket-example --acl private

aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Documentation Links

• How Do I Set ACL Bucket Permissions

• Using Amazon S3 Block Public Access

• How do I edit public access settings for all the S3 buckets in an AWS account?

• put-bucket-acl

• put-public-access-block