--- title: S3 bucket with unsecured CORS rule description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket with unsecured CORS rule --- # S3 bucket with unsecured CORS rule {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ansible-aws-s3-bucket-with-unsecured-cors-rule` **Provider:** AWS **Platform:** Ansible **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/s3_cors_module.html#parameter-rules) ### Description{% #description %} S3 CORS rules must restrict allowed origins, methods, and headers to prevent unintended cross-origin access and data exfiltration. Overly permissive CORS (wildcard origins, all methods, or all headers) can allow arbitrary web pages to interact with or read bucket resources. For Ansible resources `community.aws.s3_cors` and `s3_cors`, inspect each `rules` entry. `allowed_origins` should specify trusted origins (avoid `"*"` or unnecessarily broad lists). `allowed_methods` must not be `["*"]` and should include only the HTTP verbs required by your application. `allowed_headers` must not be `["*"]` and should be limited to the headers actually needed. Rules with wildcard `allowed_methods` or `allowed_headers`, or with wildcard or overly broad origins are flagged. Prefer a single explicit origin or a narrowly-scoped set and the minimal set of methods and headers. Secure example: ```yaml - name: Configure S3 CORS community.aws.s3_cors: name: my-bucket rules: - allowed_origins: - https://app.example.com allowed_methods: - GET - HEAD allowed_headers: - Authorization - Content-Type ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: Create s3 bucket community.aws.s3_cors: name: mys3bucket3 state: present rules: - allowed_origins: - http://www.example.com/ allowed_methods: - GET - POST allowed_headers: - Authorization expose_headers: - x-amz-server-side-encryption - x-amz-request-id max_age_seconds: 30000 ``` ```yaml - name: Create s3 bucket1 community.aws.s3_cors: name: mys3bucket4 state: present rules: - allowed_origins: - http://www.example.com/ allowed_methods: - GET - POST allowed_headers: - Authorization expose_headers: - x-amz-server-side-encryption - x-amz-request-id max_age_seconds: 30000 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: Create s3 bucket2 community.aws.s3_cors: name: mys3bucket state: present rules: - allowed_origins: - http://www.example.com/ allowed_methods: - GET - POST - PUT - DELETE - HEAD allowed_headers: - Authorization expose_headers: - x-amz-server-side-encryption - x-amz-request-id max_age_seconds: 30000 ``` ```yaml - name: Create s3 bucket4 community.aws.s3_cors: name: mys3bucket2 state: present rules: - allowed_origins: - http://www.example.com/ allowed_methods: - GET - POST - PUT - DELETE - HEAD allowed_headers: - Authorization expose_headers: - x-amz-server-side-encryption - x-amz-request-id max_age_seconds: 30000 ```