S3 buckets can have an associated bucket access control list (ACL). A bucket ACL enables you to share the S3 bucket with other AWS accounts, but can also lead to inadvertently making it public.
S3 buckets are used for data storage. Publicly exposed buckets frequently lead to data leaks or ransomware.
S3 buckets can be assigned custom or default ACLs. In both cases, a public ACL may put the bucket at risk.
Note: An S3 bucket ACL granting
READ access only allows you to list objects inside the bucket. It does not allow you to read them.
Identify affected resources
Use the following command to retrieve a bucket's ACL:
aws s3api get-bucket-acl --bucket your-bucket
The bucket is vulnerable if a
Grant entry is granting permissions to the
AuthenticatedUsers groups. Note that despite its name, the
AuthenticatedUsers group is granting public access to any authenticated AWS user in the world (not only in your own AWS account).
You can also check if the bucket is publicly accessible by attempting to access it in an unauthenticated fashion.
aws s3 --no-sign-request ls bucket aws s3 --no-sign-request cp s3://bucket/test.txt /tmp/test.txt aws s3 --no-sign-request cp /tmp/test.txt s3://bucket/test.txt
Remediate vulnerable resources
- Remove the bucket ACL:
aws s3api put-bucket-acl --bucket your-bucket --acl private
- Enable a bucket-specific public access block:
aws s3api put-public-access-block \ --bucket your-bucket \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
- Alternatively, enable an account-wide public access block. This ensures that no S3 bucket in the AWS account is public.
aws s3control put-public-access-block \ --account-id your-aws-account-id \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | S3 bucket ACL and bucket objects are not publicly readable".
Access control list (ACL) overview
Leaky buckets in 2022
Blocking public access to your S3 storage