VDB
GCVE-110-CLOUD-2023-0035
GCVE-110-CLOUD-2023-0035
Advisory Published
Threat actors in possession of IAM active credentials that had the power to
update S3 bucket policies could have bypassed GuardDuty’s S3 detections and
silently updated permissions for S3 resources, resulting in a bucket configuration
that allowed anonymous data access. This gap in GuardDuty’s alert coverage
occurred only when S3’s Block Public Access was not enabled on the account
or the bucket, and when KMS-based server-side bucket encryption was not in
use. In order to trigger on opening public access, GuardDuty needs to invoke
two API calls: GetBucketPublicAccessBlock and GetBucketPolicyStatus. Blocking
these specific API calls essentially blocked GuardDuty’s ability to trigger
the alerts. Following disclosure, AWS added GD alerts on the creation of any
policy that both allows data access but seeks to deny access to configuration information.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| AWS | S3 | — | — |
| AWS | IAM | — | — |
| AWS | EKS | — | — |
| AWS | Config | — | — |
| AWS | GuardDuty | — | — |
| AWS | SES | — | — |
| AWS | KMS | — | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.