Back to All Checks
Medium S3

ACLs should not be used to manage user access to S3 general purpose buckets

NISTISO 27001HIPAA

Description

Checks if S3 access control lists (ACLs) are not used to manage user access to buckets.

Remediation

To disable ACLs for your S3 buckets and ensure that permissions are managed through bucket policies or IAM policies, follow these steps:

Steps

  1. Sign in to the AWS Management Console and open the Amazon S3 console.
  2. In the Buckets list, choose the name of the bucket you want to modify.
  3. Choose the 'Permissions' tab.
  4. Under the 'Object Ownership' section, click on the 'Edit' button.
  5. Select 'Bucket owner enforced' to completely disable ACLs for the bucket.
  6. Click on 'Save changes'.
  7. Verify that access is now managed exclusively via Bucket policy or IAM policies of user or role, and adjust them as necessary to ensure proper permissions.

Compliance

NISTISO 27001HIPAA
Start Your Free Security Check