RCP should prevent S3 buckets from using ACLs
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
A Resource Control Policy (RCP) should prevent S3 buckets from using ACLs. S3 ACLs are a legacy access control mechanism that can lead to unintended public or cross-account access. AWS recommends disabling ACLs by setting object ownership to BucketOwnerEnforced. An RCP can enforce this standard across the organization by denying s3:PutBucketAcl and s3:PutObjectAcl, or restricting s3:CreateBucket to require BucketOwnerEnforced object ownership.
This rule also flags RCPs that use NotAction to exempt S3 ACL actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.
Note: All new S3 buckets created after April 2023 have ACLs disabled by default. This RCP ensures existing buckets cannot re-enable ACLs and new buckets maintain the secure default.
Create a Resource Control Policy that explicitly prevents ACL usage using Action (not NotAction) on S3 buckets and attach it to the organization root. Remove any NotAction-based deny statements that exempt S3 actions. The RCP should deny s3:PutBucketAcl and s3:PutObjectAcl operations, or require s3:x-amz-object-ownership to be BucketOwnerEnforced for bucket creation. Refer to the Controlling ownership of objects and RCP syntax documentation for guidance.
