S3 Access block should block public ACL
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | s3 |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
The S3 bucket configuration does not block public ACLs, allowing users to apply access control lists that can make bucket objects publicly accessible. This misconfiguration permits public access settings to be set on objects, bypassing intended security restrictions.
Impact#
If exploited, sensitive data stored in S3 buckets could be exposed publicly, enabling unauthorized users to read, download, or potentially manipulate data. This can lead to data breaches, loss of intellectual property, and regulatory non-compliance.
Resolution#
Enable blocking any PUT calls with a public ACL specified