CLOUD01 Insecure Cloud Storage ACLs
What this means
SiteShadow flagged cloud storage configuration that appears to allow broader access than intended (public buckets/blobs, permissive ACLs, or overly broad IAM policies).
Why it matters
Public buckets frequently expose sensitive data and backups.
- Data breaches: backups, logs, exports, and customer files become world-readable.
- Credential leakage: config dumps and backups often contain secrets.
- Regulatory risk: accidental public storage is a common compliance failure.
Safer examples
1) Make private the default
Disable public access by default and require explicit, reviewed exceptions.
2) Use least-privilege IAM policies
- Grant access only to specific roles/services.
- Avoid wildcard permissions on buckets (
*) where possible.
3) Separate public assets from private data
If you have a public bucket for static assets, keep it completely separate from backups/exports/uploads.
How SiteShadow detects it (high level)
- Flags IaC/config patterns that enable public access or broad ACLs for storage resources.
- Highlights risky policy statements (wildcards, public principals) when found in storage contexts.
References
- OWASP Top 10: https://owasp.org/Top10/
---