RCP should prevent S3 buckets from using ACLs
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
A Resource Control Policy (RCP) should prevent S3 buckets from using ACLs. S3 ACLs are a legacy access control mechanism that can lead to unintended public or cross-account access. AWS recommends disabling ACLs by setting object ownership to BucketOwnerEnforced.
This rule verifies that an RCP meets at least one of the following criteria:
- Denies both
s3:PutBucketAcl and s3:PutObjectAcl (these can be in separate deny statements) - Denies
s3:CreateBucket with a condition requiring s3:x-amz-object-ownership to be BucketOwnerEnforced - Uses a wildcard deny (
s3:* or *)
Denying only s3:PutBucketAcl without s3:PutObjectAcl (or vice versa) is insufficient — an attacker could still set ACLs at the object level to grant external access to individual objects.
Note: All new S3 buckets created after April 2023 have ACLs disabled by default. This RCP ensures existing buckets cannot re-enable ACLs and new buckets maintain the secure default.
Create a Resource Control Policy that explicitly prevents ACL usage using Action (not NotAction) on S3 buckets and attach it to the organization root. Remove any NotAction-based deny statements that exempt S3 actions. The RCP should deny s3:PutBucketAcl and s3:PutObjectAcl operations, or require s3:x-amz-object-ownership to be BucketOwnerEnforced for bucket creation. Refer to the Controlling ownership of objects and RCP syntax documentation for guidance.
