Skip to main content

Granting public ACL rights on a bucket can lead to data leakage

  • GG_ID: GG_IAC_0057
  • Severity: HIGH
  • Complexity: LOW
  • Categories: DATA
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: False


AWS S3 Access control lists (ACLs) enable you to manage access to buckets and objects. Canned ACL are predefined grants. For example, the public-read canned ACL will allow anyone to read the content of a bucket with such ACL associated.

The canned ACL defined on the bucket allow public access to the bucket and the objects it contains.


  • Data leakage.
  • Data tampering (if the ACL is public-read-write).

Remediation guidelines#


  • Use private canned ACL.
  • Use ACL with specific grantee, instead of canned ACL.

External documentation#