S3 bucket allows delete action from all principals

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket allows delete action from all principals

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 6fa44721-ef21-41c6-8665-330d59461163

Cloud Provider: AWS

Platform: Ansible

Severity: Critical

Category: Access Control

Learn More

Provider Reference

Description

S3 bucket policies must not grant delete permissions to all principals (*). Public delete rights can enable unauthorized data tampering or complete data loss by allowing anyone on the internet to remove objects or buckets.

For Ansible S3 resources (amazon.aws.s3_bucket or s3_bucket), ensure the policy document contains no Statement with Effect: "Allow", Principal: "*", and an Action that includes delete operations (for example s3:DeleteObject or s3:DeleteBucket).

This rule flags bucket resources whose policy includes an Allow statement granting delete-related actions to the wildcard principal. Instead, restrict delete permissions to specific AWS account IDs, IAM roles/ARNs, or remove delete actions for public principals.

Secure example restricting delete to a specific AWS account:

- name: Create S3 bucket with restricted delete permissions
  amazon.aws.s3_bucket:
    name: my-bucket
    policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "AllowSpecificAccountDelete",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
            "Action": ["s3:DeleteObject", "s3:DeleteBucket"],
            "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
          }
        ]
      }

Compliant Code Examples

#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Deny
        Action: DeleteObject
        Principal: '*'

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: DeleteObject
        Principal: "*"