Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	omission

Description

The S3 bucket configuration does not block public ACLs, allowing users to apply access control lists that can make bucket objects publicly accessible. This misconfiguration permits public access settings to be set on objects, bypassing intended security restrictions.

Impact

If exploited, sensitive data stored in S3 buckets could be exposed publicly, enabling unauthorized users to read, download, or potentially manipulate data. This can lead to data breaches, loss of intellectual property, and regulatory non-compliance.

Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	omission

Description

The S3 bucket configuration does not enforce blocking of public bucket policies, allowing users to attach policies that could make the bucket publicly accessible. This misconfiguration leaves the bucket open to unintended public access through policy changes.

Impact

If exploited, an attacker or unauthorized user could add or modify bucket policies to expose sensitive data to the public internet. This could result in data leakage, compliance violations, and potential financial or reputational damage to the organization.

Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	omission

Description

S3 buckets are configured to accept public ACLs, meaning that objects can be made publicly accessible via PUT operations specifying a public ACL. The bucket is not set to ignore public ACLs, leaving it vulnerable to unintended public exposure of data.

Impact

An attacker or misconfigured application could upload objects with public ACLs, making sensitive data publicly accessible. This can lead to unauthorized data disclosure, regulatory violations, and potential data breaches affecting the organization’s confidentiality.

Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	omission

Description

The S3 bucket configuration does not restrict public access policies, allowing anyone to access the bucket if a public policy is attached. Without enabling ‘restrict_public_buckets’, public access controls can be bypassed, exposing data to the internet.

Impact

If exploited, unauthorized users could access sensitive data stored in the S3 bucket, leading to data leakage, compliance violations, or potential misuse of information. Publicly accessible buckets are a common target for attackers and can result in significant data breaches.

Property
Language
Severity
Service	s3
Provider	aws

Description

S3 buckets are missing access logging configuration, which means operations such as uploads, downloads, and deletions are not being logged. Without logging enabled, there is no audit trail for activity on the bucket.

Impact

If exploited, unauthorized or malicious activities could occur undetected, making it difficult to investigate data breaches, track unauthorized access, or comply with auditing requirements. This lack of visibility can hinder incident response and forensic analysis.

Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	misconfiguration

Description

The S3 bucket is configured with an ACL that allows public access, making its contents accessible to anyone on the internet. This misconfiguration exposes sensitive data by not restricting access to authorized users only.

Impact

If exploited, unauthorized users could list, download, or even modify the contents of the bucket, leading to data leakage, loss of intellectual property, or exposure of confidential information. This can result in regulatory violations, reputational damage, and financial loss.

Property
Language
Severity
Service	s3
Provider	AWS

Description

S3 buckets are missing a dedicated aws_s3_bucket_public_access_block resource, which means public access settings are not centrally enforced. Without this, individual bucket policies or ACLs may unintentionally allow public access.

Impact

Sensitive data in S3 buckets could be exposed to the public if permissive policies or ACLs are applied, leading to potential data breaches, unauthorized access, and compliance violations.

Resolution

Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	omission

Description

S3 buckets are configured without versioning enabled, meaning object changes or deletions permanently overwrite or remove previous data with no way to recover prior versions.

Impact

If an object is accidentally or maliciously deleted or modified, the original data cannot be restored, increasing the risk of data loss or service disruption and potentially impacting business continuity or compliance requirements.

Property
Language
Severity
Service	s3
Provider	aws
Vulnerability Type	misconfiguration

Description

S3 buckets are being created with names containing periods (’.’), which violates AWS DNS compliance requirements. Such names can lead to compatibility issues with certain S3 features and integrations.

Impact

Non-DNS compliant S3 bucket names may prevent the use of features like S3 Transfer Acceleration and HTTPS access, potentially exposing data to misrouting or failed connections. This can disrupt application functionality, reduce security, and limit interoperability with AWS services.

Property
Language
Severity
Service	s3
Provider	AWS
Vulnerability Type	omission

Description

S3 bucket encryption is configured to use AWS-managed keys instead of customer managed keys. This limits control over key management, including aspects like key rotation and access policies, which are important for meeting security and compliance requirements.

Impact

Relying on AWS-managed keys restricts the ability to enforce fine-grained access controls and key rotation, potentially exposing sensitive data to unauthorized access if AWS keys are compromised or misused. This can lead to data breaches and failure to meet compliance obligations.