Skip to main content

Allowing public exposure of a S3 bucket can lead to data leakage

  • GG_ID: GG_IAC_0055
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: False


AWS S3 Block Public Access is a feature that allows setting up centralized controls to manage public access to S3 resources.

Enforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket allows to make sure that no ACL (Access control list) or policy giving public access can be associated with the bucket, and that existing ACL giving public access to the bucket will not be taken into account.


  • Data leakage.
  • Data tampering.

Remediation guidelines#

Associate a S3 BlockPublicAccess to the bucket with the following properties enabled:

  • BlockPublicAcls
  • BlockPublicPolicy
  • IgnorePublicAcls

External documentation#