Skip to main content

S3 Buckets shouldn't be Publicly Open for Reads

warning
This module is being shut down in March 2025. See Shutdown of Cost and Compliance Modules for more information.

Allowing public access to a S3 bucket can lead to having your company's data exposed. Leaving a S3 bucket open for public reads can lead to severe security issues such as data loss and unexpected charges on your AWS bill.

Parameters

None

What This Rule Checks

The S3 Buckets shouldn't be Publicly Open for Reads rule checks the following two conditions are met:

  • READ or READ_ACP access is not granted to groups AllUsers or AllAuthenticatedUsers
  • The s3:GetObject action with the effect of Allow is not granted to principal:*.

Failing policy example:

{
"Id": "Policy1234567890",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetData",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::app/*",
"Principal": "*" # This will cause the rule to fail
}
]
}

Remediation

Remediating READ and READ_ACP access

  1. Use the put-bucket-acl command to update the bucket permissions:

    aws s3api put-bucket-acl --bucket my-bucket-name --acl private
  2. Repeat step 1 for each bucket that is to be reconfigured

Remediating principal:* access

  1. To stop a bucket from being accessible to everyone you will need to create a bucket policy that restricts the principal. The following example allows access to the bucket for only the root user. Here is an example:

    {
    "Id": "Policy1234567890",
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "AllowGetData",
    "Action": [
    "s3:GetObject",
    "s3:PutObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::app/*",
    "Principal": { "AWS": "arn:aws:iam::123456789012:root" }
    }
    ]
    }
  2. Use the delete-bucket-policy to completely remove the public access from the bucket

    aws s3api delete-bucket-policy --bucket my-bucket-name
  3. Use the put-bucket-policy command with the bucket policy that you created in step 1

    aws s3api put-bucket-policy --bucket my-bucket-name --policy file://bucket-policy.json
  4. Repeat steps 1-3 for each bucket that is failing