S3 bucket policies and ACLs should not be configured for public read access¶
Description¶
S3 bucket policies and ACLs should not be configured for public read access. It is a security risk for a bucket to have an ACL or bucket policy that is configured for public read access, even if the bucket itself is not currently public. A bucket configured for public read access can potentially be made public, allowing any AWS user or anonymous user to access the data in it.
Console Remediation Steps¶
Navigate to S3.
Select the S3 bucket.
Select Permissions > Access Control List.
In Public access, select Everyone and uncheck:
List objects
Write objects
Read bucket permissions
Write bucket permissions
Click Save.
Navigate to S3.
In the left navigation, select Block public access (account settings).
Click Edit.
Check the Block all public access checkbox.
Click Save Changes.
Enter confirm and click confirm.
CLI Remediation Steps¶
To make an S3 bucket not publicly accessible:
aws s3api put-bucket-acl \
--bucket fugue-bucket-example --acl private
aws s3api put-public-access-block \
--bucket fugue-bucket-example \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"