S3 Bucket Allows List Action From All Principals
- Query id: d395a950-12ce-4314-a742-ac5a785ab44e
- Query name: S3 Bucket Allows List Action From All Principals
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Bucket
amazon.aws.s3_bucket:
name: mys3bucket
state: present
policy:
Version: "2020-10-07"
Statement:
- Effect: Allow
Action: ListObject
Principal: "*"