ts33 / test-code-scanner Goto Github PK

Risk: critical

Description

It was discovered that "Read ACP" privilege was granted to "Everyone" for one or more AWS S3 buckets.

Providing "Read ACP" privileges to "Everyone" in the AWS S3 bucket allows anyone from the public Internet to read the access control and permission settings of all objects stored within the bucket.

Implication

An attacker could leverage this privileged information to uncover poorly configured S3 objects and attempt to access that particular object. This could impact the confidentiality of this data and, depending on the criticality and sensitivity of the data, could result in reputational damage or non-compliance to regulatory requirements your company is subject to.

Recommendation

It is recommended that the S3 Bucket Permissions are set based on least privilege principle. You should not set "Everyone" to have "Read ACP" privilege.

Remediation Steps:

1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3/
2. Select the S3 bucket that needs to be updated.
3. Click the Permissions tab.
4. Click Access Control List.
5. Under the Public access header click Everyone option and do the following:
   i. Untick Read bucket permissions under the Access to this bucket's ACL section.
6. Click Save.

S3 Bucket Read ACP privilege for everyone has now been removed.

Parameters

Account gid: 308692709302

Region: global

Resource type : S3 Bucket

Resources

   - {'id': 's3-doom-acl-all-not-full-control', 'gid': 'arn:aws:s3:::s3-doom-acl-all-not-full-control', 'notes': None}

Related Resources

None

Horangi detected this issue on 2019-04-14 09:01:39.192407