S3 bucket ACLs are configured to block public write actions
    • 24 Aug 2023
    • 1 Minute to read
    • Dark
      Light

    S3 bucket ACLs are configured to block public write actions

    • Dark
      Light

    Article summary

    Description

    Modify your access control permissions to remove WRITE_ACP, WRITE, or FULL_CONTROL access for all AWS users or any authenticated AWS user.

    Rationale

    Public WRITE_ACP access gives anyone permissions to change the S3 bucket Access Control List. With these permissions, anyone can grant any permissions they want, such as reading or writing objects inside the bucket.

    Public WRITE access allows the grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects.

    Public FULL_CONTROL access allows the grantee the READ, WRITE, READ_ACP, and WRITE_ACP permissions on the bucket.

    For more information about S3 bucket ACLs, see the Access control list (ACL) documentation.

    Remediation

    From the console

    Follow the Controlling access to a bucket with user policies docs to edit your existing policy and set the policy permissions to private.

    From the command line

    Run put-bucket-acl with your S3 bucket name and the ACL set to private.

    aws s3api put-bucket-acl
      --bucket your-bucket-name
      --acl private