- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This check verifies whether an Amazon S3 general-purpose bucket policy restricts principals in other AWS accounts from executing unauthorized actions on resources within the S3 bucket. The check will not pass if the bucket policy permits any of the aforementioned actions for a principal in a different AWS account.
Enforcing the principle of least privilege is essential for mitigating security risks and minimizing the repercussions of errors or malicious activities. Allowing access from external accounts through an S3 bucket policy could lead to breaches through data exfiltration by malicious insiders or attackers.
By utilizing the blacklistedactionpatterns parameter, the rule evaluates successfully for S3 buckets. This parameter enables access to external accounts only for specific action patterns not included in the blacklistedactionpatterns list.
Risky Actions: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl
To adjust an Amazon S3 bucket policy to revoke permissions, please refer to the Adding a bucket policy using the Amazon S3 console section in the Amazon Simple Storage Service User Guide.
When on the Edit bucket policy page, within the policy editing text box, choose one of the following actions: