Bucket policies and ACLs
Bucket policies and access control lists (ACLs) are used for access control – acting as the front line to allow and deny access to S3 resources in your AWS environment. Both ACL and buckets use JSON or YAML to write out their policies, which can make things difficult or easy, depending on how you look at it.
Now let's move forward as we take a look at how these policies are created!
Public bucket policies
When pentesting S3, one of the first things you'll want to do is look and see what the policies are for an S3 bucket. The following takes a look at a simple bucket policy that we'll create and how we can start interacting with buckets based on that policy.
Follow these steps to create a bucket and then list out its policy:
- Go to the S3 bucket page and click on the bucket that we created.
- Next, click on the Permissions tab.
- Ensure that you have everything unchecked on Block all public access:
Figure 4.13...
