--- title: S3 bucket ACL allows read or write to all users description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket ACL allows read or write to all users --- # S3 bucket ACL allows read or write to all users {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-s3-bucket-acl-allows-read-or-write-to-all-users` **Provider:** AWS **Platform:** Terraform **Severity:** Critical **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) ### Description{% #description %} This check identifies AWS S3 buckets that have ACLs allowing read or write access to all users, creating a significant security risk. When S3 buckets are configured with public access (using ACLs such as `public-read` or `public-read-write`), sensitive data can be exposed to unauthorized users, potentially leading to data breaches, intellectual property theft, or compliance violations. To secure your S3 buckets, always use private ACLs, as shown in the example below: ```terraform resource "aws_s3_bucket" "secure_example" { bucket = "my-tf-test-bucket" acl = "private" } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform provider "aws" { region = "us-east-1" } terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } resource "aws_s3_bucket" "negative1" { bucket = "my-tf-test-bucket" acl = "private" tags = { Name = "My bucket" Environment = "Dev" } versioning { enabled = true } } ``` ```terraform module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" bucket = "my-s3-bucket" acl = "private" versioning = { enabled = true } } ``` ```terraform provider "aws" { region = "us-east-1" } terraform { required_providers { aws = { source = "hashicorp/aws" version = "4.2.0" } } } resource "aws_s3_bucket" "example0" { bucket = "my-tf-example-bucket" } resource "aws_s3_bucket_acl" "example_bucket_acl" { bucket = aws_s3_bucket.example0.id acl = "private" } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform provider "aws" { region = "us-east-1" } terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } resource "aws_s3_bucket" "positive1" { bucket = "my-tf-test-bucket" acl = "public-read" tags = { Name = "My bucket" Environment = "Dev" } versioning { enabled = true } } ``` ```terraform provider "aws" { region = "us-east-1" } terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } resource "aws_s3_bucket" "positive2" { bucket = "my-tf-test-bucket" acl = "public-read-write" tags = { Name = "My bucket" Environment = "Dev" } versioning { enabled = true } } ``` ```terraform module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" bucket = "my-s3-bucket" acl = "public-read" versioning = { enabled = true } } ```