S3 bucket should not allow list actions from all principals

Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion

Risk Level: Critical
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.CFT.IAM.05
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

AWS_S3_BucketPolicy should not have PolicyDocument.Statement contain [ Effect='Allow' and Principal='*' and (Action contain [$ regexMatch /^s3:List/] or Action regexMatch /^s3:List/) ]

REMEDIATION

From CFT
Modify AWS::S3::Bucket PolicyDocument property and remove policies for s3:List actions for principals''. If necessary, modify the policy instead, to limit the access to specific principals

References

  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere—web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks

  • AWS CloudFormation ruleset