PlatformResourcesSign inSign Up

Ensure S3 Bucket does not allow access to all Authenticated users

Error: AWS S3 buckets are accessible to any authenticated user

Bridgecrew Policy ID: BC_AWS_IAM_70
Checkov Check ID: CKV2_AWS_43
Severity: MEDIUM

Suggest Edits

AWS S3 buckets are accessible to any authenticated user

Description

This policy identifies S3 buckets accessible to any authenticated AWS users. Amazon S3 allows customer to store and retrieve any type of content from anywhere in the web. Often, customers have legitimate reasons to expose the S3 bucket to public, for example to host website content. However, these buckets often contain highly sensitive enterprise data which if left accessible to anyone with valid AWS credentials, may result in sensitive data leaks.

Fix - Buidtime

Terraform

resource "aws_s3_bucket_acl" "fail_1" {
  bucket = "name"
  access_control_policy {
    grant {
      grantee {
        id   = "52b113e7a2f25102679df27bb0ae12b3f85be6"
        type = "CanonicalUser"
      }
      permission = "READ"
    }
    grant {
      grantee {
        type = "Group"
-       uri  = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
      }
      permission = "READ_ACP"
    }
    owner {
      id = data.aws_canonical_user_id.current.id
    }
  }
}

Updated 4 months ago