TF 0236 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
S3 Access block should block public ACL
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | s3 |
| Provider | AWS |
| Vulnerability Type | omission |
Description
The S3 bucket configuration does not block public ACLs, allowing users to apply access control lists that can make bucket objects publicly accessible. This misconfiguration permits public access settings to be set on objects, bypassing intended security restrictions.
Impact
If exploited, sensitive data stored in S3 buckets could be exposed publicly, enabling unauthorized users to read, download, or potentially manipulate data. This can lead to data breaches, loss of intellectual property, and regulatory non-compliance.
Resolution
Enable blocking any PUT calls with a public ACL specified