What does "Public", "Private/Not-Public", and "Unknown" access mean in S3 bucket findings?
Article ID: 284298
Updated On:
Products
Issue/Introduction
Private/Not-Public Access
A bucket is not available to be be accessed by everyone but only certain users.
By default, all S3 buckets are private and can be accessed only by users who are explicitly granted access. One can restrict access to their S3 buckets or objects by writing IAM user policies that specify the users that can access specific buckets and objects.
Public Access
S3 Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both.
Unknown Access
Buckets in CloudHealth that show Unknown for Access, Read access, and Write access appears when its status is unknown. This can occur for buckets that are public or private but the platform is unable to obtain that information.
The access column is based on an analysis of the buckets ACL and the bucket policy.
Note: Specifically for the permission "aws:SecureTransport", the policy for the 'unknown' buckets block all access when aws:SecureTransport is false (i.e. when the connection is not secure). This is caused by the policy as it is specifically denying access under certain conditions. CloudHealth uses TLS for our collection calls and the "Condition":"Bool":"awsSecureTransport" "false" condition is currently not supported so it doesn't get processed at CH and therefore is returned as an Unsupported Policy Configuration exception. This translates to the S3 asset record as "Unknown" state for Access, Read Access, and Write Access states.
Feedback
