S3 bucket policies and ACLs should not be configured for public read access

Description

S3 bucket policies and ACLs should not be configured for public read access. It is a security risk for a bucket to have an ACL or bucket policy that is configured for public read access, even if the bucket itself is not currently public. A bucket configured for public read access can potentially be made public, allowing any AWS user or anonymous user to access the data in it.

Console Remediation Steps

  • Navigate to S3.

  • Select the S3 bucket.

  • Select Permissions > Access Control List.

  • In Public access, select Everyone and uncheck:

    • List objects

    • Write objects

    • Read bucket permissions

    • Write bucket permissions

  • Click Save.

  • Navigate to S3.

  • In the left navigation, select Block public access (account settings).

  • Click Edit.

  • Check the Block all public access checkbox.

  • Click Save Changes.

  • Enter confirm and click confirm.

CLI Remediation Steps

To make an S3 bucket not publicly accessible:

aws s3api put-bucket-acl \
    --bucket fugue-bucket-example --acl private
aws s3api put-public-access-block \
    --bucket fugue-bucket-example \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"