- Newest
- Most votes
- Most comments
-
Trusted Advisor checks for ACL, which allows public list and public upload/delete permissions, and policy for statements that grant public access. It does not check for Access Point Policies.
-
It checks the ACL and Bucket Policy, and if either of these allow any public access it will be flagged. If you have a conflict (i.e. a block and an allow) it will still report on the allow (from my testing at least!)
-
No, TA only checks for ACL and/or policy
If your customer wants to block public access to buckets, the recommended way is to use the "Block Public Access" option on the bucket
The alert criteria is detailed in the Trusted Advisor console, these are the specific checks that it carries out Yellow: The bucket ACL allows List access for "Everyone" or "Any Authenticated AWS User". Yellow: A bucket policy allows any kind of open access. Yellow: Bucket policy has statements that grant public access. The “Block public and cross-account access to buckets that have public policies” setting is turned on and has restricted access to only authorised users of that account until public statements are removed. Yellow: Trusted Advisor does not have permission to check the policy, or the policy could not be evaluated for other reasons. Red: The bucket ACL allows Upload/Delete access for "Everyone" or "Any Authenticated AWS User".
Relevant content
- asked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
