---
title: S3 bucket allows delete action from all principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > S3 bucket allows delete action from all
  principals
---

# S3 bucket allows delete action from all principals

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-s3-bucket-allows-delete-action-from-all-principals` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Critical

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html)

### Description{% #description %}

S3 bucket policies must not grant delete permissions to all principals (`*`). Public delete rights can enable unauthorized data tampering or complete data loss by allowing anyone on the internet to remove objects or buckets.

For Ansible S3 resources (`amazon.aws.s3_bucket` or `s3_bucket`), ensure the `policy` document contains no Statement with `Effect: "Allow"`, `Principal: "*"`, and an `Action` that includes delete operations (for example `s3:DeleteObject` or `s3:DeleteBucket`).

This rule flags bucket resources whose `policy` includes an Allow statement granting delete-related actions to the wildcard principal. Instead, restrict delete permissions to specific AWS account IDs, IAM roles/ARNs, or remove delete actions for public principals.

Secure example restricting delete to a specific AWS account:

```yaml
- name: Create S3 bucket with restricted delete permissions
  amazon.aws.s3_bucket:
    name: my-bucket
    policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "AllowSpecificAccountDelete",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
            "Action": ["s3:DeleteObject", "s3:DeleteBucket"],
            "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
          }
        ]
      }
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Deny
        Action: DeleteObject
        Principal: '*'
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: DeleteObject
        Principal: "*"
```