For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/s3_bucket_acl_allows_read_to_all_users.md. A documentation index is available at /llms.txt.

S3 bucket ACL allows read access to all users

This product is not supported for your selected Datadog site. ().

Metadata

Id: a1ef9d2e-4163-40cb-bd92-04f0d602a15d

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Access Control

Learn More

Description

S3 buckets must not be configured to allow read access to all users. Public-read ACLs make objects and metadata accessible to anyone on the internet, risking data exposure and compliance violations.

For Ansible tasks using the amazon.aws.s3_object or s3_object modules, the permission parameter must not be set to values that start with public-read (for example public-read or public-read-write). Tasks with permission omitted or set to restrictive values such as private, or that rely on explicit bucket policies to grant scoped access, are acceptable. Resources with permission starting with public-read are flagged. Secure configuration example:

- name: Create S3 bucket with private ACL
  amazon.aws.s3_object:
    bucket: my-bucket
    permission: private
    mode: create

Compliant Code Examples

- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create
    permission: private
- name: Create an empty bucket2
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create

Non-Compliant Code Examples

---
- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create
    permission: public-read
- name: Create an empty bucket2
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create
    permission: public-read-write