Granting public ACL rights on a bucket can lead to data leakage

Severity	Exploitability	Providers	Categories
HIGH	HIGH	AWS	DATA

Description

AWS S3 Access control lists (ACLs) enable you to manage access to buckets and objects. Canned ACL are predefined grants. For example, the public-read canned ACL will allow anyone to read the content of a bucket with such ACL associated.

The canned ACL defined on the bucket allow public access to the bucket and the objects it contains.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	True	False	False

Data leakage.
Data tampering (if the ACL is public-read-write).

Remediation guidelines

Either:

Use private canned ACL.
Use ACL with specific grantee, instead of canned ACL.

References

AWS ACLs overview
AWS canned ACLs
AWS S3 Bucket ACL in terraform

Granting public ACL rights on a bucket can lead to data leakage

Description

Impact

Remediation guidelines

References

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Granting public ACL rights on a bucket can lead to data leakage

Description​

Impact​

Remediation guidelines​

References​

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Subscribe to our newsletter

Description

Impact

Remediation guidelines

References