I found a misconfigured s3 bucket in a global customer service tech company where the misconfiguration of the S3 bucket allowed any authenticated user to upload and delete files to their s3 bucket.
Am redacting the bucket name/company name to “<xyz>” as per request from the affected company.
- Configure AWS CLI in your Windows/Linux/Mac machine.
- Execute the below commands from the CLI
Uploading a file — aws s3 cp test.html s3://<xyz>-uploads/
Deleting a file — aws s3 rm s3://<xyz>-uploads/test.html
Listing the files — aws s3 ls s3://<xyz>-uploads/
3. I received an email from the VP of engineering that they have fixed the issue, below is my confirmation to them.
- Review the bucket ACLs to verify
WRITE_ACPare only set on specific users, never on groups such as
- Take a look and see how you are uploading objects to S3 buckets and make sure you set the proper ACLs on both buckets and objects.
Note: Newly created Amazon S3 buckets and objects are private and protected by default.