For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-s3-bucket-acl-allows-read-or-write-to-all-users.md. A documentation index is available at /llms.txt.

S3 bucket ACL allows read or write to all users

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-s3-bucket-acl-allows-read-or-write-to-all-users

Provider: AWS

Platform: CloudFormation

Severity: Critical

Category: Access Control

Learn More

Description

S3 buckets must not use a public read-write ACL because it allows anyone on the internet to read, upload, modify, or delete objects. This risks data exposure, integrity loss, and service abuse. Check AWS::S3::Bucket resources and ensure the AccessControl property is not set to PublicReadWrite. Resources with AccessControl: PublicReadWrite will be flagged. Set AccessControl to Private or omit the ACL and enforce least-privilege access using bucket policies and a PublicAccessBlockConfiguration (enable BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets) to prevent accidental public access.

Secure configuration example:

MyBucket:
  Type: AWS::S3::Bucket
  Properties:
    BucketName: my-bucket
    AccessControl: Private
    PublicAccessBlockConfiguration:
      BlockPublicAcls: true
      IgnorePublicAcls: true
      BlockPublicPolicy: true
      RestrictPublicBuckets: true

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts03:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: BucketOwnerFullControl
      BucketName: jenkins-artifacts
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ITEngineering
        - Key: Type
          Value: CICD

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts04:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: jenkins-secret-artifacts
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ''

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts05:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead
      BucketName: jenkins-secret-artifacts2
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ITEngineering

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts01:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicReadWrite
      BucketName: jenkins-artifacts
      Tags:
        - Key: CostCenter
          Value: ITEngineering

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  StaticPage01:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicReadWrite
      BucketName: public-read-static-page01
      WebsiteConfiguration:
        ErrorDocument: 404.html
        IndexDocument: index.html
      Tags:
        - Key: CostCenter
          Value: ITEngineering

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts02:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicReadWrite
      BucketName: jenkins-artifacts-block-public
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: false
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ITEngineering
        - Key: Type
          Value: CICD