---
title: S3 bucket ACL allows read access to any authenticated user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > S3 bucket ACL allows read access to any
  authenticated user
---

# S3 bucket ACL allows read access to any authenticated user

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-s3-bucket-acl-allows-read-to-any-authenticated-user` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_object_module.html#parameter-permission)

### Description{% #description %}

S3 objects or buckets configured with the `authenticated-read` ACL allow any AWS authenticated user to read your data. This exposes content beyond your account boundary and increases the risk of unauthorized data access or leakage.

In Ansible, tasks using the `amazon.aws.s3_object` or `s3_object` modules must not set the `permission` parameter to `authenticated-read`. Prefer `permission: private` or enforce access via explicit bucket policies or IAM roles. This rule flags Ansible tasks where `permission` is exactly `authenticated-read`.

Secure example:

```yaml
- name: Upload file to S3 with private ACL
  amazon.aws.s3_object:
    bucket: my-bucket
    object: path/file.txt
    src: /local/file.txt
    permission: private
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object
    mode: create
- name: Create an empty bucket2
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object-2
    mode: create
    permission: private
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Create an empty bucket2
  amazon.aws.s3_object:
    bucket: mybucket
    object: my-object
    mode: create
    permission: authenticated-read
```