S3 Bucket ACL READ_ACP Permission Granted to All Authenticated Users

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

An Amazon Simple Storage Service (S3) bucket Access Control List (ACL) grants READ_ACP access permissions to All Authenticated AWS Users. Unrestricted access to a buckets READ_ACP will allow anyone with an AWS user account to read the S3 bucket ACL which could reveal critical configuration information to a malicious actor. S3 bucket ACLs are used to control user access to buckets and objects. Remove S3 bucket READ_ACP permissions for All Authenticated users and restricted it to only required users or groups.