Amazon S3 public bucket
Description
Amazon S3 (Simple Storage Service) organizes files into named containers called "buckets", each accessible via predictable URLs. Access controls can be configured at both the bucket level and for individual objects within the bucket. A bucket is considered public when its contents can be listed by any unauthenticated user, whereas a private bucket restricts listing and access to authorized users only.
This application is using a public Amazon S3 bucket, which allows anyone on the internet to enumerate and view all files and directories stored within it. Public buckets are rarely necessary and represent an unnecessary security exposure for most applications.
Remediation
Configure the S3 bucket to be private and implement proper access controls:
1. Remove public access via AWS Console: Navigate to the S3 bucket properties, select the "Permissions" tab, and under "Block public access", enable all four blocking options. Remove any bucket policies or ACLs that grant public read access.
2. Use bucket policies to restrict access: Implement a bucket policy that explicitly denies public access and only allows authenticated IAM users or roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": "YOUR-ACCOUNT-ID"
}
}
}
]
}3. Use CloudFront or signed URLs: If public access to specific objects is required, use Amazon CloudFront with signed URLs or S3 pre-signed URLs with expiration times instead of making the entire bucket public.
4. Enable AWS Config rules: Implement the s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited AWS Config rules to continuously monitor and alert on public bucket configurations.