S3 Bucket Policy ACL FULL_CONTROL Permission Granted to All Public Users

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

S3 bucket ACL grants FULL_CONTROL permissions to public users. Simple Storage Service (S3) bucket Access Control Lists (ACL) are used to control user access to buckets and objects. By default only the account owner has access to an S3 bucket and its contents but you can change the permissions to allow access by any user. Unrestricted FULL_CONTROL access to a bucket will allow anyone to perform any action on your S3 buckets and objects. Public S3 bucket FULL_CONTROL access should be disabled and that permission should only be allowed to users who require it.