---
title: S3 bucket ACL allows read access to all users
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > S3 bucket ACL allows read access to all users
---

# S3 bucket ACL allows read access to all users

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-s3-bucket-acl-allows-read-to-all-users` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_object_module.html#parameter-permission)

### Description{% #description %}

S3 buckets must not be configured to allow read access to all users. Public-read ACLs make objects and metadata accessible to anyone on the internet, risking data exposure and compliance violations.

For Ansible tasks using the `amazon.aws.s3_object` or `s3_object` modules, the `permission` parameter must not be set to values that start with `public-read` (for example `public-read` or `public-read-write`). Tasks with `permission` omitted or set to restrictive values such as `private`, or that rely on explicit bucket policies to grant scoped access, are acceptable. Resources with `permission` starting with `public-read` are flagged. Secure configuration example:

```yaml
- name: Create S3 bucket with private ACL
  amazon.aws.s3_object:
    bucket: my-bucket
    permission: private
    mode: create
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object
    mode: create
    permission: private
- name: Create an empty bucket2
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object-2
    mode: create
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object
    mode: create
    permission: public-read
- name: Create an empty bucket2
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object-2
    mode: create
    permission: public-read-write
```