VDB

GCVE-110-CLOUD-2023-0035

GCVE-110-CLOUD-2023-0035
Advisory Published
Vulnetix · Advisory published May 18, 2023
Threat actors in possession of IAM active credentials that had the power to update S3 bucket policies could have bypassed GuardDuty’s S3 detections and silently updated permissions for S3 resources, resulting in a bucket configuration that allowed anonymous data access. This gap in GuardDuty’s alert coverage occurred only when S3’s Block Public Access was not enabled on the account or the bucket, and when KMS-based server-side bucket encryption was not in use. In order to trigger on opening public access, GuardDuty needs to invoke two API calls: GetBucketPublicAccessBlock and GetBucketPolicyStatus. Blocking these specific API calls essentially blocked GuardDuty’s ability to trigger the alerts. Following disclosure, AWS added GD alerts on the creation of any policy that both allows data access but seeks to deny access to configuration information.

Affected Products

VendorProductVersionsPlatforms
AWSS3
AWSIAM
AWSEKS
AWSConfig
AWSGuardDuty
AWSSES
AWSKMS

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›