---
title: S3 bucket allows list action from all principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > S3 bucket allows list action from all
  principals
---

# S3 bucket allows list action from all principals

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-s3-bucket-allows-list-action-from-all-principals` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html)

### Description{% #description %}

S3 bucket policies must not allow list actions to all principals ('*'). Exposing bucket listings to everyone reveals object inventories and metadata, enabling data discovery and potential unauthorized access or exfiltration.

For Ansible resources using `amazon.aws.s3_bucket` or `s3_bucket`, inspect the bucket `policy` document. Ensure there are no policy statements with `Effect` set to `Allow`, `Principal` set to `"*"`, and `Action` that includes list operations such as `s3:ListBucket`.

Resources with a statement that combines `Effect: Allow`, `Principal: "*"`, and a list action are flagged. Instead, restrict access to explicit principals (account IDs, role or service ARNs), apply IAM policies, or use S3 Public Access Block settings to prevent public listing.

Secure example policy that grants List only to a specific principal:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListToSpecificPrincipal",
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:role/AllowedRole" },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket"
    }
  ]
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Allow
        Action: ListObject
        Principal: NotAll
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: ListObject
        Principal: "*"
```