Ensure that your AWS S3 buckets content cannot be publicly listed in order to protect against unauthorized access. An S3 bucket that grants READ (LIST) access to everyone can allow anonymous users to list the objects within the bucket. Malicious users can exploit the information acquired through the listing process to find objects with misconfigured ACL permissions and access these compromised objects.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Granting public “READ” access to your S3 buckets can allow unauthorized users to list the objects available within the buckets and use this information to gain access to your data. Cloud Conformity strongly recommends against setting READ (LIST) ACL permission for the “Everyone” predefined group in production.
To determine if your existing AWS S3 buckets allow public READ (LIST) access, perform the following:
Remediation / Resolution
To remove public READ access from your S3 buckets, you need to perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
S3 Bucket Public 'READ' Access
Risk level: Very High