Public S3 bucket through bucket ACL

PLATFORM

SERVICE

s3

DATA BREACHES

known

LAST UPDATED

August 28, 2023

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

medium

About

S3 buckets can have an associated bucket access control list (ACL). A bucket ACL enables you to share the S3 bucket with other AWS accounts, but can also lead to inadvertently making it public.

Understanding Impact

Business Impact

S3 buckets are used for data storage. Publicly exposed buckets frequently lead to data leaks or ransomware.

Technical Impact

S3 buckets can be assigned custom or default ACLs. In both cases, a public ACL may put the bucket at risk.

Note: An S3 bucket ACL granting READ access only allows you to list objects inside the bucket. It does not allow you to read them.

Identify affected resources

Use the following command to retrieve a bucket's ACL:

aws s3api get-bucket-acl --bucket your-bucket

The bucket is vulnerable if a Grant entry is granting permissions to the AllUsers or AuthenticatedUsers groups. Note that despite its name, the AuthenticatedUsers group is granting public access to any authenticated AWS user in the world (not only in your own AWS account).

You can also check if the bucket is publicly accessible by attempting to access it in an unauthenticated fashion.

aws s3 --no-sign-request ls bucket
aws s3 --no-sign-request cp s3://bucket/test.txt /tmp/test.txt
aws s3 --no-sign-request cp /tmp/test.txt s3://bucket/test.txt

Remediate vulnerable resources

  • Remove the bucket ACL:
aws s3api put-bucket-acl --bucket your-bucket --acl private
  • Enable a bucket-specific public access block:
aws s3api put-public-access-block \
  --bucket your-bucket \
  --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
  • Alternatively, enable an account-wide public access block. This ensures that no S3 bucket in the AWS account is public.
aws s3control put-public-access-block \
  --account-id your-aws-account-id \
  --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSPM Rule | S3 bucket ACL and bucket objects are not publicly readable".

References

Access control list (ACL) overview

aws documentation

Leaky buckets in 2022

aws documentation

Blocking public access to your S3 storage

aws documentation

Related Vulnerabilities and Threats