S3 bucket with public access

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket with public access

Metadata

Id: c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9

Cloud Provider: AWS

Platform: Ansible

Severity: Critical

Category: Access Control

Learn More

Provider Reference

Description

Ansible tasks that set S3 permission to public create publicly accessible buckets or objects, risking data exposure and regulatory non‑compliance. For the amazon.aws.s3_object and s3_object modules, the permission property must be defined and must not contain the value public. Use private or other restricted values (for example, authenticated-read) as appropriate.

This rule flags tasks where permission contains public. Tasks missing an explicit permission should be reviewed and set to a non‑public value.

Secure example:

- name: Create private S3 bucket
  amazon.aws.s3_object:
    bucket: my-bucket
    permission: private
    mode: create

Compliant Code Examples

- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create
    permission: private
- name: Create an empty bucket 02
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create

Non-Compliant Code Examples

---
- name: Create an empty bucket
  amazon.aws.s3_object:
    bucket: mybucket
    mode: create
    permission: public-read
- name: Create an empty bucket 01
  amazon.aws.s3_object:
    bucket: mybucket 01
    mode: create
    permission: public-read-write