Json Yaml Bucket Policy Allows Public Access
Description
Detects CloudFormation templates that define S3 bucket policies allowing unrestricted public access. Public bucket access can expose sensitive data to unauthorized users and potentially lead to data breaches if buckets contain confidential information.
Detection Strategy
• Inspects CloudFormation template resources that define S3 bucket policies
• Evaluates IAM policy statements within bucket policies looking for overly permissive Principal elements like '*' or {'AWS': '*'}
• Checks if the policy Action and Effect combinations grant dangerous public access permissions
• Reports a vulnerability when bucket policy allows unrestricted access from any principal (public internet)
Vulnerable code example
Resources:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: example-bucket
PolicyDocument:
Version: 2012-10-17
Statement:...✅ Secure code example
Resources:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: example-bucket
PolicyDocument:
Version: 2012-10-17
Statement:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.