--- title: S3 bucket allows put action from all principals description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket allows put action from all principals --- # S3 bucket allows put action from all principals {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-s3-bucket-allows-put-actions-from-all-principals` **Provider:** AWS **Platform:** CloudFormation **Severity:** Critical **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) ### Description{% #description %} Bucket policies that allow S3 Put actions from the wildcard principal (`*`) enable anyone on the internet to upload or overwrite objects in the bucket. This can lead to unauthorized data tampering, malware uploads, or public exposure of sensitive content. Check `AWS::S3::BucketPolicy` resources' `Properties.PolicyDocument.Statement` entries and flag statements where `Effect: "Allow"`, `Principal: "*"`, and `Action` includes Put operations such as `s3:PutObject` (or other `s3:Put*` actions). `Principal` should specify explicit principals (AWS account IDs, IAM role/user ARNs, or canonical user IDs). If `Principal` is `*`, the statement must include strict conditions (for example, `SourceIp` or `VpcEndpoint`) that effectively prevent public uploads. Statements with `Principal: "*"` and unrestrained Put actions will be flagged. Secure configuration example allowing Put only to a specific role: ```yaml MyBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyBucket PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: arn:aws:iam::123456789012:role/UploadRole Action: - s3:PutObject Resource: arn:aws:s3:::my-bucket/* ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml #this code is a correct code for which the query should not find any result Resources: SampleBucketPolicy1: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref DOC-EXAMPLE-BUCKET PolicyDocument: Statement: - Action: - 's3:PutObject' Effect: Deny Resource: '*' Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' ``` ```json { "Resources": { "SampleBucketPolicy2": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "DOC-EXAMPLE-BUCKET" }, "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObject" ], "Effect": "Deny", "Resource": "*", "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml #this is a problematic code where the query should report a result(s) Resources: SampleBucketPolicy3: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref DOC-EXAMPLE-BUCKET PolicyDocument: Statement: - Action: "PutObject" Effect: Allow Resource: "*" Principal: "*" Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' SampleBucketPolicy4: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref DOC-EXAMPLE-BUCKET PolicyDocument: Statement: - Action: - "PutObject" - "GetObject" Effect: Allow Resource: "*" Principal: "*" Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' ``` ```json { "Resources": { "SampleBucketPolicy5": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "DOC-EXAMPLE-BUCKET" }, "PolicyDocument": { "Statement": [ { "Action": "PutObject", "Effect": "Allow", "Resource": "*", "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } }, "SampleBucketPolicy6": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "DOC-EXAMPLE-BUCKET" }, "PolicyDocument": { "Statement": [ { "Action": [ "PutObject", "GetObject" ], "Effect": "Allow", "Resource": "*", "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } } } } ```