S3 bucket allows put action from all principals
This product is not supported for your selected
Datadog site. (
).
Id: f6397a20-4cf1-4540-a997-1d363c25ef58
Cloud Provider: AWS
Platform: CloudFormation
Severity: Critical
Category: Access Control
Learn More
Description
Bucket policies that allow S3 Put actions from the wildcard principal (*) enable anyone on the internet to upload or overwrite objects in the bucket. This can lead to unauthorized data tampering, malware uploads, or public exposure of sensitive content.
Check AWS::S3::BucketPolicy resources’ Properties.PolicyDocument.Statement entries and flag statements where Effect: "Allow", Principal: "*", and Action includes Put operations such as s3:PutObject (or other s3:Put* actions). Principal should specify explicit principals (AWS account IDs, IAM role/user ARNs, or canonical user IDs). If Principal is *, the statement must include strict conditions (for example, SourceIp or VpcEndpoint) that effectively prevent public uploads. Statements with Principal: "*" and unrestrained Put actions will be flagged.
Secure configuration example allowing Put only to a specific role:
MyBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:role/UploadRole
Action:
- s3:PutObject
Resource: arn:aws:s3:::my-bucket/*
Compliant Code Examples
#this code is a correct code for which the query should not find any result
Resources:
SampleBucketPolicy1:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- 's3:PutObject'
Effect: Deny
Resource: '*'
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
{
"Resources": {
"SampleBucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"SampleBucketPolicy5": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": "PutObject",
"Effect": "Allow",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
},
"SampleBucketPolicy6": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"PutObject",
"GetObject"
],
"Effect": "Allow",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
#this is a problematic code where the query should report a result(s)
Resources:
SampleBucketPolicy3:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action: "PutObject"
Effect: Allow
Resource: "*"
Principal: "*"
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
SampleBucketPolicy4:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- "PutObject"
- "GetObject"
Effect: Allow
Resource: "*"
Principal: "*"
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
