Understanding S3 Bucket ACL Permissions and Access

S3 bucket ACL permissions and access can be a bit overwhelming at first, but it's actually quite straightforward once you understand the basics.

There are two main types of permissions in S3 bucket ACLs: read and write permissions.

Read permissions allow users to view the contents of a bucket, but not make any changes. Write permissions, on the other hand, give users the ability to upload, delete, and modify objects within a bucket.

In S3, ACLs are used to grant permissions to individual users or groups, rather than just granting access to a bucket as a whole. This allows for more fine-grained control over who can access and modify your data.

You can set canned ACLs to be added to uploaded files or created buckets per default. Canned ACLs are predefined sets of permissions.

The default ACL can be set within Preferences (macOS ⌘, Windows Ctrl+,) → S3 → Default ACL. Here are some default ACL options:

You can disable the ACLs using the Amazon S3 Object Ownership. To do this, set Preferences → S3 → Default ACL → None for uploads with disabled ACLs to succeed. Otherwise, uploads fail with ThebucketdoesnotallowACLs.

AWS recommends the use of IAM or Bucket policies, but ACLs are still useful for controlling access to buckets and objects. You can control the access level of not only buckets but also of an object using it.

You can choose canned ACLs to be added to uploaded files or created buckets per default. Canned ACLs are predefined sets of permissions.

The default ACL can be set within Preferences (macOS ⌘, Windows Ctrl+,) → S3 → Default ACL.

There are several default ACL options available, including private, public-read, public-read-write, authenticated-read, bucket-owner-read, and bucket-owner-full-control. However, bucket-owner-read and bucket-owner-full-control can only be applied to objects, not buckets.

To disable ACLs, you need to set Preferences → S3 → Default ACL → None for uploads with disabled ACLs to succeed. Otherwise, uploads fail with ThebucketdoesnotallowACLs.

It's worth noting that bucket ACLs are an older way of managing access to S3 buckets and are generally not recommended. However, they still have some advantages, such as the ability to control access level of not only buckets but also of an object using it.

Here's a table summarizing the different default ACL options and their effects:

In some cases, you may want to use bucket-owner-preferred, which allows new objects to be written with the bucket-owner-full-control canned ACL and automatically owned by the bucket owner.

S3 ACLs give flexibility over policies, allowing control over access levels for both buckets and objects.

The following permissions can be given to grantees: READ, WRITE, FULL_CONTROL, READ_ACP, and WRITE_ACP.

READ permission allows the grantee to list the files in the bucket and download the file and its metadata.

WRITE permission allows the grantee to create, overwrite, and delete any file in the bucket.

FULL_CONTROL permission allows the grantee all permissions on the bucket and object.

READ_ACP permission gives the ability to read the access control list of the bucket or object.

WRITE_ACP permission allows the grantee to write the ACL for the applicable bucket or object.

A table summarizing the permissions and their effects on buckets and objects is shown below:

Canned ACLs, such as private, public-read, and public-read-write, can be added to uploaded files or created buckets per default.

The default ACL can be set within Preferences → S3 → Default ACL.

The following canned ACLs can be applied to buckets and objects: private, public-read, public-read-write, authenticated-read, bucket-owner-read, and bucket-owner-full-control.

The private canned ACL allows the owner to have FULL_CONTROL, while the public-read canned ACL allows the owner to have FULL_CONTROL and the AllUsers group to have READ access.

The public-read-write canned ACL allows the owner to have FULL_CONTROL and the AllUsers group to have READ and WRITE access.

The bucket-owner-read canned ACL allows the object owner to have FULL_CONTROL and the bucket owner to have READ access.

The bucket-owner-full-control canned ACL allows both the object owner and the bucket owner to have FULL_CONTROL over the object.

The log-delivery-write canned ACL allows the LogDelivery group to have WRITE and READ_ACP permissions on the bucket.

The following table summarizes the canned ACLs and their effects on buckets and objects:

You can disable ACLs using Amazon S3 Object Ownership and set Preferences → S3 → Default ACL → None for uploads with disabled ACLs to succeed.

AWS recommends using IAM policies over S3 Bucket ACLs, but ACLs still have their use cases. Bucket ACLs can control access to both buckets and objects, giving you more flexibility than IAM policies.

The biggest advantage of using ACLs is that you can control the access level of not only buckets but also of an object using it. This is particularly useful when you need to make some objects public in a private bucket or vice versa.

Here are the different types of ACLs and what they allow:

If you need to manage object-level permissions in S3, then you need to use Bucket ACLs.

Detectify scans for various S3 misconfiguration vulnerabilities, including Amazon S3 bucket allowing for full anonymous access. This can have severe consequences for your web application's security.

One of the vulnerabilities Detectify scans for is Amazon S3 bucket allowing for arbitrary file listing. This means that anyone can access and view files within your S3 bucket without needing any authentication.

Another vulnerability is Amazon S3 bucket allowing for arbitrary file upload and exposure. This can lead to sensitive information being leaked or malicious files being uploaded to your S3 bucket.

Detectify also scans for Amazon S3 bucket allowing blind uploads, which is a type of vulnerability that allows attackers to upload files without being detected. This can be particularly problematic as it can be difficult to track and remove malicious files.

Amazon S3 bucket revealing ACP/ACL is another vulnerability that Detectify scans for. ACP/ACL stands for Access Control Policy/Access Control List, and revealing this information can give attackers valuable insight into your S3 bucket's security settings.

Here are some of the S3 misconfiguration vulnerabilities that Detectify scans for:

S3 Bucket ACL Policies are a crucial aspect of managing access to your S3 resources.

You can assign ACLs to buckets as well as objects within them, giving you flexibility and control over your S3 resources.

There are several types of ACLs, including private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, bucket-owner-full-control, and log-delivery-write.

You can use ACLs to control access levels of not only buckets but also objects within them, whereas IAM or Bucket Policies can only be attached to buckets.

Here are the different types of ACLs and their corresponding permissions:

It's worth noting that Bucket ACLs are older and generally not recommended, but they still have their use cases, especially when it comes to object-level control.

The AuthenticatedUsers group is often misunderstood, but it essentially means "Anyone with a valid set of AWS credentials". This group includes all AWS accounts that can sign a request properly, regardless of their relation to the bucket or object owner.

Having the ACL set to AuthenticatedUsers can leave your bucket vulnerable, making it a common reason for security issues.

Here's a list of predefined groups that can be used in S3 ACLs, along with what they allow:

Authenticated Users can be a bit tricky to understand, but essentially it means "Anyone with a valid set of AWS credentials". This group includes all AWS accounts that can sign a request properly, regardless of whether they have any relation to the AWS account owning the bucket or the object.

This grant is likely the most common reason a bucket is found vulnerable in the first place. The reason for this is that "authenticated" is not the same thing as "authorized". In other words, just because someone has the right credentials to access a bucket, it doesn't mean they're supposed to be there.

As a result, having Authenticated Users as an ACL can be a serious security risk. It's like leaving a door unlocked and inviting anyone to walk in.

When you set the "AllUsers" grant, anyone can make a request to read or write data without even needing to authenticate. This means they can put their own data into your bucket, or download objects from it, depending on the policy configured.

This can be a bit of a security risk, as anyone can access your bucket without being authorized. However, it can also be useful in certain situations, such as when you're hosting a public website or serving files to the public.

Here are some examples of what happens when you set different permissions for "AllUsers":

As you can see, setting the "AllUsers" grant can have significant implications for the security and access control of your S3 bucket. It's essential to carefully consider the permissions you set and ensure they align with your specific use case.

You can give access to a requester of a bucket and the objects within by using predefined groups.

There are different options available for giving access, including permission and predefined groups.

In this case, we'll focus on predefined groups, which allow you to grant access to a bucket and its objects based on predefined roles or groups.

Predefined groups can be used to give access to a bucket and the objects within, as we explored in the permission/predefined groups section.

To manage access to your S3 bucket, you can use bucket policies, IAM, or Bucket ACLs. Bucket ACLs are still a viable option despite the recommendation to use IAM or Bucket policies.

A bucket ACL can be assigned to both buckets and objects within a bucket, giving you more flexibility and control over your S3 resources. This means you can make certain objects public in a private bucket or vice versa without any issues.

Here are the different types of ACLs and their corresponding permissions:

To require all Amazon S3 PUT operations to include the bucket-owner-full-control canned ACL, you can add a bucket policy. This can be done by allowing only object uploads using this ACL.

Disabling ACLs on an existing bucket with existing objects can be complicated, especially when there's a need to ensure existing objects are still accessible for audit and compliance purposes. This is a common scenario for log buckets for centralized logging.

You can't simply change the object ownership to the bucket owner and disable ACLs without affecting existing permissions. This is because the change in object ownership can prevent services like "delivery.logs.amazonaws.com" from writing logs to the bucket.

The challenge is that ACLs like "accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE" are used to permit services like "delivery.logs.amazonaws.com" to write logs to the bucket. If you disable ACLs, these services won't have the necessary permissions to write logs.

To illustrate the issue, here are some common ACLs used for logging buckets:

As you can see, ACLs like "LOG_DELIVERY_WRITE" are specifically designed for logging buckets, allowing services like "delivery.logs.amazonaws.com" to write logs to the bucket. If you disable ACLs, these services will be unable to write logs, which can cause issues with logging and compliance.