Information disclosure from public read permission in S3 bucket ACL

High Risk infrastructure-security

What it is

Information disclosure: Public users can read bucket objects, exposing sensitive data and enabling unauthorized data harvesting and reconnaissance.

Why it happens

Explicitly setting bucket ACL to 'public-read' or 'public-read-write' during creation or updates.

Root causes

Public-Read ACL Configuration

Explicitly setting bucket ACL to 'public-read' or 'public-read-write' during creation or updates.

Legacy ACL Permissions

Inherited ACL configurations from older AWS best practices before Block Public Access was introduced.

Misconfigured Static Website Hosting

Incorrectly assuming public ACLs are required for S3 static website hosting instead of using proper bucket policies.

Fixes

1

Set ACL to Private

Change the bucket ACL from 'public-read' to 'private' in your Terraform or CloudFormation configuration.

2

Enable S3 Block Public Access

Apply Block Public Access settings at the bucket level to prevent any public access regardless of ACL or policy settings.

3

Use CloudFront with OAC

For public content delivery, use CloudFront with Origin Access Control instead of public bucket ACLs.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from public read permission in s3 bucket acl and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities