During a penetration test, you discover that an Amazon S3 bucket named media-assets allows anyone on the Internet to download its objects anonymously. Which specific bucket setting most likely enabled this unauthorized access?
Block Public Access settings were enabled for the bucket and account
The bucket policy allowed anonymous users the s3:DeleteObject action but denied s3:GetObject
The bucket ACL granted READ permission to the AllUsers group, making the bucket public-read
The bucket ACL granted WRITE permission to the AllUsers group, allowing uploads but not unauthenticated downloads
Granting READ permission to the predefined AllUsers group applies the public-read ACL, making the bucket publicly readable and letting unauthenticated users list or download objects. Granting only WRITE permission would allow uploads but not downloads, a policy that permits deletion but still blocks reads. A bucket policy that only allows s3:DeleteObject without s3:GetObject prevents downloads, and enabling Block Public Access would have stopped all anonymous requests.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Amazon S3 bucket ACL?
Open an interactive chat with Bash
What is the AllUsers group in Amazon S3?
Open an interactive chat with Bash
What is the purpose of Block Public Access settings in S3?