S3 Glacier Vault Public Access Policy
Overview
This check ensures that your Amazon S3 Glacier vaults do not have access policies that allow public access. A Glacier vault should either have no policy at all, or have a policy that restricts access to specific AWS accounts or roles rather than granting access to everyone.
Risk
If a Glacier vault policy allows public access (using Principal: '*'), anyone on the internet could potentially:
- Read your data - Download your archived files without authorization
- Delete your archives - Permanently remove your backups and archived data
- Run up your bill - Trigger expensive retrieval operations that you pay for
- Compromise compliance - Violate data protection regulations by exposing sensitive information
This is classified as a critical security issue because it directly exposes your data to the public internet.
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify Glacier vault policies
- Knowledge of which vault(s) failed this check
Required IAM permissions
You need the following permissions:
glacier:GetVaultAccessPolicyglacier:SetVaultAccessPolicyglacier:DeleteVaultAccessPolicy
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to S3 Glacier (search for "S3 Glacier" in the search bar)
- In the left navigation, click Vaults
- Select the vault that failed the check
- Click the Access policy tab
- Review the current policy - look for
"Principal": "*"which indicates public access - Choose one of these options:
- Remove the policy entirely: Click Delete to remove the access policy
- Restrict access: Click Edit and replace the wildcard principal with specific AWS account ARNs
Example of a secure policy (restricts access to a specific AWS account):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"glacier:UploadArchive",
"glacier:InitiateMultipartUpload",
"glacier:ListJobs"
],
"Resource": "arn:aws:glacier:us-east-1:123456789012:vaults/my-vault"
}
]
}
AWS CLI (optional)
Check the current vault policy:
aws glacier get-vault-access-policy \
--account-id - \
--vault-name <your-vault-name> \
--region us-east-1
Option 1: Delete the vault policy entirely
This is the simplest fix if you don't need cross-account access:
aws glacier delete-vault-access-policy \
--account-id - \
--vault-name <your-vault-name> \
--region us-east-1
Note: Using - for --account-id automatically uses your current credentials' account ID.
Option 2: Replace with a restrictive policy
Create a policy file (vault-policy.json):
{
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:root\"},\"Action\":[\"glacier:UploadArchive\",\"glacier:InitiateMultipartUpload\"],\"Resource\":\"arn:aws:glacier:us-east-1:123456789012:vaults/my-vault\"}]}"
}
Apply the policy:
aws glacier set-vault-access-policy \
--account-id - \
--vault-name <your-vault-name> \
--policy file://vault-policy.json \
--region us-east-1
CloudFormation (optional)
To ensure your Glacier vaults are created without public access policies, either omit the AccessPolicy property entirely or specify a restrictive policy:
Option 1: No policy (recommended for most cases)
AWSTemplateFormatVersion: '2010-09-09'
Description: Glacier vault without public access
Resources:
SecureGlacierVault:
Type: AWS::Glacier::Vault
Properties:
VaultName: my-secure-vault
# No AccessPolicy property = no vault policy
Option 2: Restrictive policy for cross-account access
AWSTemplateFormatVersion: '2010-09-09'
Description: Glacier vault with restricted access policy
Parameters:
TrustedAccountId:
Type: String
Description: AWS Account ID allowed to access this vault
Resources:
SecureGlacierVault:
Type: AWS::Glacier::Vault
Properties:
VaultName: my-secure-vault
AccessPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${TrustedAccountId}:root'
Action:
- glacier:UploadArchive
- glacier:InitiateMultipartUpload
- glacier:ListJobs
Resource: !Sub 'arn:aws:glacier:${AWS::Region}:${AWS::AccountId}:vaults/my-secure-vault'
Terraform (optional)
Option 1: Vault without a policy (recommended)
resource "aws_glacier_vault" "secure_vault" {
name = "my-secure-vault"
tags = {
Environment = "production"
}
# No access_policy = no public access risk
}
Option 2: Vault with a restrictive policy
variable "trusted_account_id" {
description = "AWS Account ID allowed to access this vault"
type = string
}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_glacier_vault" "secure_vault" {
name = "my-secure-vault"
access_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.trusted_account_id}:root"
}
Action = [
"glacier:UploadArchive",
"glacier:InitiateMultipartUpload",
"glacier:ListJobs"
]
Resource = "arn:aws:glacier:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:vaults/my-secure-vault"
}
]
})
tags = {
Environment = "production"
}
}
Important: Never use "Principal": "*" in your Terraform configurations.
Verification
After making changes, verify the fix:
- Return to the Glacier vault in the AWS Console
- Click the Access policy tab
- Confirm either:
- No policy exists, OR
- The policy does not contain
"Principal": "*"
CLI verification
Check the current policy:
aws glacier get-vault-access-policy \
--account-id - \
--vault-name <your-vault-name> \
--region us-east-1
If you deleted the policy, you should see an error: ResourceNotFoundException
If you set a restrictive policy, verify it does not contain "Principal": "*".
Re-run the Prowler check:
prowler aws --check glacier_vaults_policy_public_access
Additional Resources
Notes
- S3 Glacier vs S3 Glacier Deep Archive: This check applies to S3 Glacier (Classic) vaults, not S3 Glacier storage classes within S3 buckets. S3 bucket policies are covered by separate Prowler checks.
- Eventually consistent: Policy changes may take a few moments to propagate. Wait 1-2 minutes before re-running verification.
- No data loss: Removing or modifying the vault access policy does not delete any archived data - it only changes who can access it.
- Cross-account access: If you need to grant access to another AWS account, always specify the exact account ARN rather than using a wildcard.