A DigitalOcean spaces bucket has public read Access Control List whichcan lead to private data exposure

• GG_ID: GG_IAC_0017
• Severity: CRITICAL
• Complexity: LOW
• Categories: DATA, PERMISSION
• Providers: DigitalOcean
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: False

Description

DigitalOcean Spaces provides an API to manage data storage via HTTP requests. Spaces also supports a set of access controls for buckets and objects, among which pre-defined "canned ACLs" such as "public-read". A spaces bucket or object analyzed is set with "public-read" ACLs: this means that its content can be publicly read without authentication. Setting such ACLs should be done only if explicitly required as it can publicly expose internal data.

Impact

• Data Exposure

Remediation guidelines

Except if the bucket or object needs to be publicly accessed by unauthenticated users, we recommend the following:

• Switch the bucket to the "private" preset ACL.
• Set a custom ACL for the concerned object or bucket. See the related documentation provided.

External documentation

• Reference documentation ACLs in DigitalOcean spaces
• Reference documentation to set an object's ACL