S3 bucket allows delete action from all principals
This product is not supported for your selected
Datadog site. (
).
Id: 6fa44721-ef21-41c6-8665-330d59461163
Cloud Provider: AWS
Platform: Ansible
Severity: Critical
Category: Access Control
Learn More
Description
S3 bucket policies must not grant delete permissions to all principals (*). Public delete rights can enable unauthorized data tampering or complete data loss by allowing anyone on the internet to remove objects or buckets.
For Ansible S3 resources (amazon.aws.s3_bucket or s3_bucket), ensure the policy document contains no Statement with Effect: "Allow", Principal: "*", and an Action that includes delete operations (for example s3:DeleteObject or s3:DeleteBucket).
This rule flags bucket resources whose policy includes an Allow statement granting delete-related actions to the wildcard principal. Instead, restrict delete permissions to specific AWS account IDs, IAM roles/ARNs, or remove delete actions for public principals.
Secure example restricting delete to a specific AWS account:
- name: Create S3 bucket with restricted delete permissions
amazon.aws.s3_bucket:
name: my-bucket
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecificAccountDelete",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": ["s3:DeleteObject", "s3:DeleteBucket"],
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
}
]
}
Compliant Code Examples
#this code is a correct code for which the query should not find any result
- name: Bucket
amazon.aws.s3_bucket:
name: mys3bucket
state: present
policy:
Version: '2020-10-07'
Statement:
- Effect: Deny
Action: DeleteObject
Principal: '*'
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)
- name: Bucket
amazon.aws.s3_bucket:
name: mys3bucket
state: present
policy:
Version: "2020-10-07"
Statement:
- Effect: Allow
Action: DeleteObject
Principal: "*"
