A DigitalOcean spaces bucket has public read Access Control List whichcan lead to private data exposure
- GG_ID: GG_IAC_0017
- Severity: CRITICAL
- Complexity: LOW
- Categories: DATA, PERMISSION
- Providers: DigitalOcean
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: False
DigitalOcean Spaces provides an API to manage data storage via HTTP requests. Spaces also supports a set of access controls for buckets and objects, among which pre-defined "canned ACLs" such as "public-read". A spaces bucket or object analyzed is set with "public-read" ACLs: this means that its content can be publicly read without authentication. Setting such ACLs should be done only if explicitly required as it can publicly expose internal data.
- Data Exposure
Except if the bucket or object needs to be publicly accessed by unauthenticated users, we recommend the following:
- Switch the bucket to the "private" preset ACL.
- Set a custom ACL for the concerned object or bucket. See the related documentation provided.