Data protection

Internet Facing EC2 Instance with Broad S3 Access

Risk Level

Hazardous (3)

Compliance Frameworks


The internet-facing asset {AwsEc2Instance} ({AwsEc2Instance.InstanceId}) was found to have broad access to S3 via its Instance Profile ({AwsEc2Instance.InstanceProfile}). Access is considered too broad if the instance is given permissions to all S3 Actions (s3:*) or all S3 Resources (arn:aws:s3:::*).
  • Recommended Mitigation

    Limit the instance's access to S3 by granting it specific action permissions and defining the specific resources it should have access to. This can be achieved by revising the instance's IAM Instance Profile - {AwsEc2Instance.InstanceProfile}.