Skip to main content

A DigitalOcean spaces bucket has public read Access Control List whichcan lead to private data exposure

  • GG_ID: GG_IAC_0017
  • Severity: CRITICAL
  • Complexity: LOW
  • Categories: DATA, PERMISSION
  • Providers: DigitalOcean
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: False


DigitalOcean Spaces provides an API to manage data storage via HTTP requests. Spaces also supports a set of access controls for buckets and objects, among which pre-defined "canned ACLs" such as "public-read". A spaces bucket or object analyzed is set with "public-read" ACLs: this means that its content can be publicly read without authentication. Setting such ACLs should be done only if explicitly required as it can publicly expose internal data.


  • Data Exposure

Remediation guidelines#

Except if the bucket or object needs to be publicly accessed by unauthenticated users, we recommend the following:

  • Switch the bucket to the "private" preset ACL.
  • Set a custom ACL for the concerned object or bucket. See the related documentation provided.

External documentation#