S3 bucket allows get action from all principals
This product is not supported for your selected
Datadog site. (
).
Id: f97b7d23-568f-4bcc-9ac9-02df0d57fbba
Cloud Provider: AWS
Platform: CloudFormation
Severity: High
Category: Access Control
Learn More
Description
S3 bucket policies must not allow GET actions to all principals (*). Public read permissions can lead to data exfiltration or unauthorized disclosure of sensitive content. Check AWS::S3::BucketPolicy resources’ Properties.PolicyDocument.Statement entries and flag any statement with Effect: "Allow" and Principal: "*" (or equivalent wildcard) where Action contains GET operations (for example, s3:GetObject). Instead, restrict Principal to specific AWS account IDs, roles, or ARNs, or remove GET actions. If public access is required, apply scoped conditions (IP ranges, VPC endpoints) or enable S3 Block Public Access to limit exposure.
Secure configuration example (restrict principal to a specific role):
MyBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: my-bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:role/MyRole
Action:
- s3:GetObject
Resource: arn:aws:s3:::my-bucket/*
Compliant Code Examples
#this code is a correct code for which the query should not find any result
Resources:
SampleBucketPolicy1:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Deny
Resource: '*'
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
{
"Resources": {
"SampleBucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Deny",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"SampleBucketPolicy5": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": "GetObject",
"Effect": "Allow",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
},
"SampleBucketPolicy6": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": ["DeleteObject", "GetObject"],
"Effect": "Allow",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
#this is a problematic code where the query should report a result(s)
Resources:
SampleBucketPolicy3:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action: "GetObject"
Effect: Allow
Resource: "*"
Principal: "*"
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
SampleBucketPolicy4:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- "DeleteObject"
- "GetObject"
Effect: Allow
Resource: "*"
Principal: "*"
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
