S3 Bucket ACL FULL_CONTROL Permission Granted to All Authenticated Users

Tenacity Id

Risk Level

Categories

s3-016

3

Last Updated:

April 21, 2022

An Amazon Simple Storage Service (S3) bucket Access Control List (ACL) grants FULL_CONTROL permissions to All Authenticated AWS Users. Unrestricted FULL_CONTROL permission will allow anyone with an AWS account to modify permissions on the bucket and objects in the S3 bucket; add, modify, remove, or replace any objects in the S3 bucket or the S3 bucket itself. Sensitive data could be potentially exposed to unintended users or applications and any compromised account give a malicious actor full access and control of the S3 bucket and data. Remove S3 bucket FULL_CONTROL permissions for All Authenticated Users and restricted it to only required users or groups.