Initial Publication Date: 05/18/2023 10:00AM EST

A security researcher recently reported an issue in Amazon GuardDuty in which a change to the policy of an S3 bucket not protected by Block Public Access (BPA) could be carried out to grant public access to the bucket without triggering a GuardDuty alert. This specific issue would occur if the S3 bucket policy was updated within a single new policy that included both an "Allow" for "Principal::"*" or "Principal":"AWS":"*" in one statement (making the bucket public) and also a “Deny” for "Action": "s3:GetBucketPublicAccessBlock in another, which altered all callers’ ability (including GuardDuty) to check bucket configuration. Customers who use the recommended BPA feature would not have been impacted by this issue because the required previous step of disabling BPA would have triggered a different GuardDuty alert.

While the previous GuardDuty detection criteria and limitation was publicly documented here, we agreed with the researcher’s recommendation to alter this behavior and, as of April 28, 2023, have implemented a change to still provide a GuardDuty alert in this case.

We would like to thank Gem Security for responsibly disclosing this issue and working with us on its resolution.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.