A CloudTrail bucket has public read Access Control List which can lead to private data exposure

Severity	Exploitability	Providers	Categories
CRITICAL	HIGH	AWS	DATA

Description

Cloudtrail logs record every action taken by a user, role or AWS service in the account as events. The bucket where the logs are stored is set with "public-read" ACLs. This means that its content can be publicly read without authentication.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	True	False	False

Data Exposure

Remediation guidelines

Disable public access to the bucket storing the logs. For example, use the "private" preset ACL in the bucket's configuration.

References

Block public access for S3 buckets

A CloudTrail bucket has public read Access Control List which can lead to private data exposure

Description

Impact

Remediation guidelines

References

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

A CloudTrail bucket has public read Access Control List which can lead to private data exposure

Description​

Impact​

Remediation guidelines​

References​

Was this page helpful?

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status

Subscribe to our newsletter

Description

Impact

Remediation guidelines

References