AWS-021 Amazon Web Services (AWS)

No individual S3 bucket is publicly readable/writable.

No individual S3 bucket is publicly readable/writable.

Domain
Amazon Web Services (AWS)
Area
Data Protection
Automated / manual
Automated

Risk if it fails

Per-bucket policies/ACLs can still expose data.

Even with account settings, one bucket overridden to 'public' leaks its contents. Writable public buckets also let attackers plant malware others download.

How Tess tests it

1 test — each concludes only on cited evidence.

No individual S3 bucket is publicly readable/writable.

Automated
Procedure
Iterate buckets; check ACLs, policy status and public-access-block.

Read-only command 

for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do echo $b; aws s3api get-bucket-policy-status --bucket $b 2>/dev/null; aws s3api get-public-access-block --bucket $b 2>/dev/null; done

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-021 against your evidence?

Book a demo