- Home
- »
- AWS Documentation
- »
- S3 Policies
- »
- Bucket ACL grants READ_ACP permission to everyone
Bucket ACL grants READ_ACP permission to everyone
Description
Unprotected S3 buckets are one of the major causes of data theft and intrusions. An S3 bucket that allows READ_ACP access to everyone can provide attackers the ability to read the bucket ACL and see who controls objects and how. The only S3 buckets that should be globally accessible for unauthenticated users or for Any AWS Authenticate Users are those used for hosting static websites. Bucket ACL helps manage access to S3 bucket data.
We recommend AWS S3 buckets are not publicly accessible for READ_ACP actions to protect S3 data from unauthorized users and exposing sensitive data to public access.
Fix - Runtime
Procedure
S3 buckets should be protected by using the bucket ACL and bucket policies. If you want to share data with other users via S3 buckets create pre-signed URLs with a short expiration duration.
To generate a pre-signed URL for the file samplefile.zip, use the following command:
aws s3 presign –expires-in 36000 s3://sharedfolder/samplefile.zip
To generate pre-signed URLS for every object in an S3 bucket, use the following command:
while read line; do aws s3 presign –expires-in 36000 s3://sharedfolder/$line; done
📘 Note
For all automation-related work use the bucket policy and grant access to the required roles.
Fix - Buildtime
Terraform
- Resource: aws_s3_bucket, aws_s3_bucket_acl
- Argument: acl
“`text Terraform resource “aws_s3_bucket_acl” “data” { bucket = aws_s3_bucket.private_acl_v4.id – acl = “public-read” + acl = “private” }
## CloudFormation
– **Resource**: AWS::S3::Bucket.data
-**Argument**: Properties.AccessControl
“`yaml
Type: AWS::S3::Bucket
Properties:
…
– AccessControl: PublicReadWrite / PublicRead