S3 Bucket Allows Public Access via Bucket Policies

Data at risk

S3 Bucket Allows Public Access via Bucket Policies

Risk Level

Hazardous (3)

Platform(s)

Compliance Frameworks

Brazilian General Data Protection (LGPD)
CCPA
CPRA
CSA CCM
Data Security Posture Management (DSPM) Best Practices
GDPR
HITRUST
ISO 27701
ISO/IEC 27001
Mitre ATT&CK
New Zealand Information Security Manual
NIST 800-171
NIST 800-53
Orca Best Practices
PDPA
UK Cyber Essentials

Description

Ensure that your S3 buckets are not publicly accessible via bucket policies in order to protect against unauthorized access. Allowing unrestricted access through bucket policies gives everyone the ability to list the objects within the bucket (ListBucket), download objects (GetObject), upload/delete objects (PutObject, DeleteObject), view objects permissions (GetBucketAcl), edit objects permissions (PutBucketAcl) and more.

Recommended Mitigation

Set the bucket's policy to provide access to known parties only.

S3 Bucket Allows Public Access via Bucket Policies

Description

Need help?

CLOUD SECURITY PLATFORM

TECHNOLOGY ECOSYSTEM

By Solution

By Industry

COMPARISONS