AWS S3 Bucket ACL made public

Docs > Plateforme de sécurité Datadog > OOTB Rules > AWS S3 Bucket ACL made public

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an S3 bucket ACL is successfully modified to grant public access.

Strategy

This rule monitors the PutBucketAcl API call to detect when an S3 bucket is made publicly accessible. The rule inspects the @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI array and @requestParameters.x-amz-acl parameter to identify public access grants. Public access is identified when the URI contains http://acs.amazonaws.com/groups/global/AuthenticatedUsers or http://acs.amazonaws.com/groups/global/AllUsers, or when the canned ACL parameter includes public-read or public-read-write. Making S3 buckets publicly accessible can expose sensitive data to unauthorized users and is often unintentional or the result of misconfiguration.

Triage and response

Determine if {{@userIdentity.arn}} is authorized to modify S3 bucket permissions and whether this change was intentional.
Review the bucket contents to assess if any sensitive data has been exposed to public access.
Verify if the public ACL configuration aligns with legitimate business requirements or if it represents a misconfiguration.
Investigate whether the same user credentials made other unauthorized API calls or bucket modifications.
Check S3 access logs to identify if any unauthorized parties accessed the bucket while it was publicly accessible.

Changelog

7 April 2022 - Updated rule and signal message. 23 October 2025 - Updated rule with canned ACL logic @requestParameters.x-amz-acl:(public-read OR public-read-write)