Predefined permissions, also known as canned ACLs, are an easy way to grant broad privileges to predefined groups or users.
The following canned ACLs are security-sensitive:
PublicRead, PublicReadWrite grant respectively "read" and "read and write" privileges to everyone in the world
(AllUsers group).AuthenticatedRead grants "read" privilege to all authenticated users (AuthenticatedUsers group).When an S3 bucket is configured with a canned ACL such as PublicRead, PublicReadWrite, or AuthenticatedRead,
it grants broad read or write access to either all internet users or all authenticated AWS users, far beyond what is typically required.
When an S3 bucket is publicly readable, any user on the internet can enumerate and download its contents. This can expose sensitive business data, personally identifiable information (PII), credentials, or configuration files to unauthorized parties.
When an S3 bucket is publicly writable (e.g., PublicReadWrite), attackers can upload malicious files, overwrite existing objects, or
delete bucket content, leading to data integrity loss or supply chain attacks if the bucket serves application assets.
Set the access_control property to PRIVATE (the default) to restrict bucket access to the owner only. For more granular
access control, use an appropriate S3 bucket policy instead of canned ACLs.
import aws_cdk.aws_s3 as s3
import aws_cdk.aws_s3_deployment as s3deploy
bucket = s3.Bucket(self, "bucket",
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE # Noncompliant
)
s3deploy.BucketDeployment(self, "DeployWebsite",
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE # Noncompliant
)
import aws_cdk.aws_s3 as s3
import aws_cdk.aws_s3_deployment as s3deploy
bucket = s3.Bucket(self, "bucket",
access_control=s3.BucketAccessControl.PRIVATE
)
s3deploy.BucketDeployment(self, "DeployWebsite",
access_control=s3.BucketAccessControl.PRIVATE
)