Allowing public exposure of a S3 bucket can lead to data leakage

• GG_ID: GG_IAC_0055
• Severity: HIGH
• Complexity: LOW
• Categories: DATA
• Providers: AWS
• Potential data exposure: True
• Visible in logs: True
• User interaction required: False
• Privileges required: False

Description

AWS S3 Block Public Access is a feature that allows setting up centralized controls to manage public access to S3 resources.

Enforcing the BlockPublicAcls, BlockPublicPolicy and IgnorePublicAcls rule on a bucket allows to make sure that no ACL (Access control list) or policy giving public access can be associated with the bucket, and that existing ACL giving public access to the bucket will not be taken into account.

Impact

• Data leakage.
• Data tampering.

Remediation guidelines

Associate a S3 BlockPublicAccess to the bucket with the following properties enabled:

• BlockPublicAcls
• BlockPublicPolicy
• IgnorePublicAcls

External documentation

• AWS Block Public Access
• AWS Access control list overview
• AWS Block Public Access Terraform documentation