Skip to main content

S3 Bucket ACL Changed

This alert occurs when Lacework detects an S3 bucket ACL change.

Why this Alert is Important

The AWS Access Control List (ACL) plays an important part in limiting the extent to which your S3 buckets are exposed. Unauthorized ACL modification can give attackers access to the interfaces of your S3 bucket instance.

Investigation

Ensure that all changes to ACLs are audited and made only by authorized personnel. Look for rules allowing access to unknown IP addresses. Check for anomalies in ACL changes.

Resolution

Revert all unnecessary NACL changes. Use a common template to make changes. Follow the principle of least privilege.

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/what-is-s3.html