Skip to main content

A CloudTrail bucket has public read Access Control List whichcan lead to private data exposure

  • GG_ID: GG_IAC_0071
  • Severity: CRITICAL
  • Complexity: LOW
  • Categories: DATA
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: False


Cloudtrail logs record every action taken by a user, role or AWS service in the account as events. The bucket where the logs are stored is set with "public-read" ACLs. This means that its content can be publicly read without authentication.


  • Data Exposure

Remediation guidelines#

Disable public access to the bucket storing the logs. For example, use the "private" preset ACL in the bucket's configuration.

External documentation#