Skip to main content

No Authenticated-Users Read Access

ID: CTL.S3.AUTH.READ.001 Category: Access Control Severity: Critical

What This Checks

S3 buckets must not grant read access to the AuthenticatedUsers predefined group. Any bucket where authenticated_users_read is true is flagged as unsafe.

Why It Matters

The AuthenticatedUsers group includes every AWS account holder worldwide -- not just users in your organization. Granting read access to this group on a bucket like acme-patient-records-staging is nearly as dangerous as making the bucket fully public: any person with a free AWS account can read every object. This misconfiguration is a legacy of S3's original ACL model and is frequently found in older buckets that predate bucket policies. AWS itself recommends against using AuthenticatedUsers in any context.

What A Violation Looks Like

$ stave apply --controls controls/s3 --observations ./observations --max-unsafe 0s --now 2026-01-15T00:00:00Z
{
  "control_id": "CTL.S3.AUTH.READ.001",
  "control_name": "No Authenticated-Users Read Access",
  "resource_id": "acme-patient-records-staging",
  "resource_type": "aws_s3_bucket",
  "resource_vendor": "aws",
  "evidence": {
    "matched_properties": [
      {
        "path": "properties.storage.visibility.authenticated_users_read",
        "value": true
      }
    ],
    "first_unsafe_at": "2026-01-03T00:00:00Z",
    "last_seen_unsafe_at": "2026-01-15T00:00:00Z",
    "unsafe_duration_hours": 288,
    "threshold_hours": 0,
    "why_now": "Resource has been unsafe for 288 hours (threshold: 0 hours). Unsafe since 2026-01-03T00:00:00Z."
  },
  "mitigation": {
    "description": "Control violation detected.",
    "action": "Review the unsafe configuration and remediate."
  }
}

Correct Configuration

A safe bucket does not grant read access to the AuthenticatedUsers group:

{
  "storage": {
    "visibility": {
      "authenticated_users_read": false
    }
  }
}

To remediate: Remove the ACL grant to AuthenticatedUsers. Replace with specific IAM principals or use a bucket policy with explicit account IDs. Enable S3 Public Access Block with IgnorePublicAcls set to true to neutralize any remaining ACL-based grants.

  • CTL.S3.PUBLIC.004 -- No Public Read via ACL (flags AllUsers read grants, the fully public equivalent)
  • CTL.S3.ACCESS.001 -- No Unauthorized Cross-Account Access (flags external account principals in bucket policies)
  • CTL.S3.CONTROLS.001 -- Public Access Block Must Be Enabled (PAB can mitigate ACL-based grants)