Skip to content

Public AWS S3 bucket with file listing enabled

Public AWS S3 bucket with file listing enabled

Description

AWS provides S3 web service storage to store and retrieve data easily. Access to the S3 bucket can enable access control and implement a few security settings. S3 bucket has been behind several high-profile data compromises and is a common misconfiguration.

A publicly accessible AWS S3 bucket was detected with potentially sensitive information. The information was detected as the bucket enables file listing, and an attacker can navigate all content in the bucket.

Recommendation

To ensure the proper configuration of the AWS S3 bucket:

  • Ensure public access is required. If not, restrict access to authorized users only.
  • If public access is required, ensure that file listing is required. If not, remove list object permission from all users' access.
  • If public access is required, ensure that no sensitive information is stored in the bucket.

Standards

  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_7_3
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_6_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5
    • CC_8_1