Granting public ACL rights on a bucket can lead to data leakage

• GG_ID: GG_IAC_0057
• Severity: HIGH
• Complexity: LOW
• Categories: DATA
• Providers: AWS
• Potential data exposure: True
• Visible in logs: True
• User interaction required: False
• Privileges required: False

Description

AWS S3 Access control lists (ACLs) enable you to manage access to buckets and objects. Canned ACL are predefined grants. For example, the public-read canned ACL will allow anyone to read the content of a bucket with such ACL associated.

The canned ACL defined on the bucket allow public access to the bucket and the objects it contains.

Impact

• Data leakage.
• Data tampering (if the ACL is public-read-write).

Remediation guidelines

Either:

• Use private canned ACL.
• Use ACL with specific grantee, instead of canned ACL.

External documentation

• AWS ACLs overview
• AWS canned ACLs
• AWS S3 Bucket ACL in terraform