I just got this too and was slightly alarmed to find EVERYTHING from my blog was listed – .htaccess, config files etc.
Of course, I’ve changed the passwords immediately removed the LIST permission from “everyone”, and the blog seems to be working fine still, but a bit of a worry, and wondering why it’s setup like that.
Would CDN still work if you remove LIST?
I too, got this message and am not sure what to do. Do I need to modify the ACL access privileges AND change my logon passwords to the wordpress site? It sounds as if they have a hacker getting into AWS. But, they don’t give explicit instructions for us non-programmer types on how to fix it. Can anyone shed light, in layman’s terms, on what we need to do, step-by-step?
Many thanks – here I thought we were safer with AWS.
@maryloutyler – I just logged into S3, click the bucket name on the left, clicked “properties” and deleted the line which contained “LIST” for “EVERYONE”. Don’t delete the other properties though – people still need to be able to actually see the items, just not list the whole bucket.
Thank you.
I’m using firefox’ S3Fox plugin. There was no LIST option, but there is a USERNAME column when I right-click on EDIT ACL that had the EVERYONE username listed with READ PRIVILEGE. I’ve deleted that USERNAME at the root folder level and applied the changes to ALL SUBFOLDERS.
I’ll watch the folder today. I saw files over the weekend that looked suspicious, and wasn’t sure if it was my testing of the CloudFront that was causing it. I read through the documentation and it was like reading a foreign language.
All the AWS Security comment areas are closed – so you cannot really ask for assistance. Even their e-mail this morning was cryptic. Unnerving…
I appreciate the quick response.
When you say “All the AWS Security comment areas are closed – so you cannot really ask for assistance”, which forum as you using/
The s3 forum is at:
https://forums.aws.amazon.com/forum.jspa?forumID=24&start=0
and in fact, someone has already started a thread about this here:
https://forums.aws.amazon.com/thread.jspa?threadID=74701&tstart=0
Might be worth following.
I was looking at the Windows on Amazon EC2 Security Guide in the Articles and Tutorials section (one of the links that showed up when I googled AWS security issue how to fix). That particular page was not accepting comments.
Thanks for providing the links. I’ll keep watch today. Marylou
I wrote a how-to for you guys: Amazon S3 Bucket Policy Fix
You need to remove the “List” permission from grantee Everyone as pointed out by digitaltoast
I will rethink the default policies.