Predefined permissions, also known as canned ACLs, are an easy way to grant large privileges to predefined groups or users.
The following canned ACLs are security-sensitive:
PUBLIC_READ, PUBLIC_READ_WRITE grant respectively "read" and "read and write" privileges to anyone, either
authenticated or anonymous (AllUsers group). AUTHENTICATED_READ grants "read" privilege to all authenticated users (AuthenticatedUsers group). There is a risk if you answered yes to any of those questions.
It’s recommended to implement the least privilege policy, i.e., to only grant users the necessary permissions for their required tasks. In the
context of canned ACL, set it to PRIVATE (the default one), and if needed more granularity then use an appropriate S3 policy.
All users, either authenticated or anonymous, have read and write permissions with the PUBLIC_READ_WRITE access control:
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'bucket', {
accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE // Sensitive
});
new s3deploy.BucketDeployment(this, 'DeployWebsite', {
accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE // Sensitive
});
With the PRIVATE access control (default), only the bucket owner has the read/write permissions on the bucket and its ACL.
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'bucket', {
accessControl: s3.BucketAccessControl.PRIVATE
});
new s3deploy.BucketDeployment(this, 'DeployWebsite', {
accessControl: s3.BucketAccessControl.PRIVATE
});