TF 0405 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
S3 Access Block should Ignore Public Acl
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | s3 |
| Provider | AWS |
| Vulnerability Type | omission |
Description
S3 buckets are configured to accept public ACLs, meaning that objects can be made publicly accessible via PUT operations specifying a public ACL. The bucket is not set to ignore public ACLs, leaving it vulnerable to unintended public exposure of data.
Impact
An attacker or misconfigured application could upload objects with public ACLs, making sensitive data publicly accessible. This can lead to unauthorized data disclosure, regulatory violations, and potential data breaches affecting the organization's confidentiality.
Resolution
Enable ignoring the application of public ACLs in PUT calls