--- title: S3 bucket should have bucket policy description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket should have bucket policy --- # S3 bucket should have bucket policy {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-s3-bucket-should-have-bucket-policy` **Provider:** AWS **Platform:** CloudFormation **Severity:** Low **Category:** Insecure Defaults #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) ### Description{% #description %} S3 buckets should have an associated bucket policy so explicit access controls can be enforced. This reduces the risk of unintended public or overly broad access to bucket contents. This rule checks `AWS::S3::Bucket` resources for a matching `AWS::S3::BucketPolicy` whose `Bucket` property references the same bucket. The policy may reference the bucket using a `Ref` to the bucket's logical ID, or by matching the bucket's `BucketName` property. Resources missing a matching `AWS::S3::BucketPolicy`, or policies that reference a different identifier, will be flagged. If you omit `BucketName` (letting CloudFormation generate the name), ensure the policy uses `!Ref` to the bucket. If you provide an explicit `BucketName`, the policy may reference that literal name. Secure configuration example: ```yaml MyBucket: Type: AWS::S3::Bucket Properties: BucketName: my-bucket-name MyBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyBucket PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: "arn:aws:iam::123456789012:role/ReadOnlyRole" Action: "s3:GetObject" Resource: !Sub "arn:aws:s3:::${MyBucket}/*" ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: S3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: docexamplebucket SampleBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: docexamplebucket PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Join': - '' - - 'arn:aws:s3:::' - Ref: docexamplebucket - /* Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' S3Bucket9: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: docexamplebucket SampleBucketPolicy10: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref docexamplebucket PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Join': - '' - - 'arn:aws:s3:::' - Ref: docexamplebucket - /* Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' ``` ```json { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": "docexamplebucket" } }, "SampleBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "docexamplebucket", "PolicyDocument": { "Statement": [ { "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "docexamplebucket" }, "/*" ] ] }, "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } }, "Action": [ "s3:GetObject" ], "Effect": "Allow" } ] } } }, "S3Bucket9": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": "docexamplebucket" } }, "SampleBucketPolicy10": { "Type": "AWS::S3::BucketPolicy", "Properties": { "PolicyDocument": { "Statement": [ { "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } }, "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "docexamplebucket" }, "/*" ] ] } } ] }, "Bucket": "docexamplebucket" } } } } ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: MyS3Bucket22: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ SampleBucketPolicy2: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyS3Bucket22 PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Join': - '' - - 'arn:aws:s3:::' - Ref: docexamplebucket - /* Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: S3Bucket3: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: docexamplebucket1 SampleBucketPolicy5: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: Ref: docexamplebucketfail PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Join': - '' - - 'arn:aws:s3:::' - Ref: docexamplebucket1 - /* Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' S3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: {} SampleBucketPolicy2: Type: AWS::S3::BucketPolicy Properties: Bucket: docexamplebucket2 PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Join': - '' - - 'arn:aws:s3:::' - Ref: docexamplebucket - /* Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' S3Bucket7: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain Properties: BucketName: docexamplebucket5 SampleBucketPolicy8: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref docexamplebucketfail2 PolicyDocument: Statement: - Action: - 's3:GetObject' Effect: Allow Resource: 'Fn::Join': - '' - - 'arn:aws:s3:::' - Ref: docexamplebucket1 - /* Principal: '*' Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' ``` ```json { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Description": "A sample template", "Resources": { "SampleBucketPolicy8": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "docexamplebucketfail2", "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "docexamplebucket1" }, "/*" ] ] }, "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } }, "S3Bucket3": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": { "BucketName": "docexamplebucket1" } }, "SampleBucketPolicy5": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "docexamplebucketfail" }, "PolicyDocument": { "Statement": [ { "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } }, "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "docexamplebucket1" }, "/*" ] ] }, "Principal": "*" } ] } } }, "S3Bucket": { "Type": "AWS::S3::Bucket", "DeletionPolicy": "Retain", "Properties": {} }, "SampleBucketPolicy2": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "docexamplebucket2", "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "docexamplebucket" }, "/*" ] ] }, "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } }, "S3Bucket7": { "DeletionPolicy": "Retain", "Properties": { "BucketName": "docexamplebucket5" }, "Type": "AWS::S3::Bucket" } } } ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Description: A sample template Resources: MyS3Bucket2: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead MetricsConfigurations: - Id: EntireBucket WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ ```