Specify the principal for S3 buckets

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: terraform-aws/aws-s3-no-principal

Language: Terraform

Severity: Warning

Category: Security

Description

This rule pertains to the specification of principals in the policy of S3 buckets in AWS. The principal is a crucial aspect of any AWS policy as it defines who is allowed to access the resource, in this case, the S3 bucket. It is important because specifying a broad principal such as ‘*’ opens the bucket to access from any AWS account, which can be a serious security risk.

Non-compliance with this rule can lead to unauthorized access to your S3 buckets and potential data breaches. You should always specify a principal that is as narrow as possible to limit access to only those entities that absolutely need it.

To adhere to this rule, ensure that you specify a specific AWS Amazon Resource Name (ARN) instead of using a wildcard (’*’). This way, you grant access only to the specified AWS account or user. For instance, instead of Principal = { AWS = "*" }, use Principal = { AWS = ["arn:aws:iam::something:user"] }. This helps you maintain the security of your AWS resources while ensuring that only authorized entities have access.

Non-Compliant Code Examples

resource "aws_s3_bucket_policy" "mypolicy" {
  bucket = aws_s3_bucket.mybucket.id
  policy = jsonencode({
    Id = "something"
    Version = "2012-10-17"
    Statement = [{
            Effect = "Allow"
            Principal = {
                AWS = "*"
            }
            Action = [
                "s3:PutObject"
            ]
            Resource: "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
  })
}

Compliant Code Examples

resource "aws_s3_bucket_policy" "mypolicy" {
  bucket = aws_s3_bucket.mybucket.id
  policy = jsonencode({
    Id = "something"
    Version = "2012-10-17"
    Statement = [{
            Effect = "Allow"
            Principal = {
                AWS = [
                    "arn:aws:iam::something:user"
                ]
            }
            Action = [
                "s3:PutObject"
            ]
            Resource: "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
  })
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis