For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-s3-bucket-acl-allows-read-to-any-authenticated-user.md. A documentation index is available at /llms.txt.

S3 bucket ACL allows read to any authenticated user

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-s3-bucket-acl-allows-read-to-any-authenticated-user

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Access Control

Learn More

Description

S3 buckets configured with the AuthenticatedRead canned ACL allow any AWS authenticated user to read bucket objects. This can lead to unintended data exposure and compliance violations. For CloudFormation, the AWS::S3::Bucket resource’s AccessControl property must not be set to AuthenticatedRead. Resources with AccessControl: AuthenticatedRead will be flagged. Set AccessControl: Private or omit ACLs and enforce least-privilege access using explicit bucket policies or IAM principals instead.

Secure configuration example:

MyBucket:
  Type: AWS::S3::Bucket
  Properties:
    BucketName: my-bucket
    AccessControl: Private

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts03:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: BucketOwnerFullControl
      BucketName: jenkins-artifacts
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ITEngineering
        - Key: Type
          Value: CICD

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts04:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: jenkins-secret-artifacts
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ''

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts05:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicReadWrite
      BucketName: jenkins-secret-artifacts2
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ITEngineering

Non-Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts01:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: AuthenticatedRead
      BucketName: jenkins-artifacts
      Tags:
        - Key: CostCenter
          Value: ITEngineering

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  StaticPage01:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: AuthenticatedRead
      BucketName: public-read-static-page01
      WebsiteConfiguration:
        ErrorDocument: 404.html
        IndexDocument: index.html
      Tags:
        - Key: CostCenter
          Value: ITEngineering

AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
  JenkinsArtifacts02:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: AuthenticatedRead
      BucketName: jenkins-artifacts-block-public
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: false
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Key: CostCenter
          Value: ITEngineering
        - Key: Type
          Value: CICD