--- title: S3 bucket allows delete action from all principals description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket allows delete action from all principals --- # S3 bucket allows delete action from all principals {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-s3-bucket-allows-delete-action-from-all-principals` **Provider:** AWS **Platform:** Terraform **Severity:** Critical **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) ### Description{% #description %} This vulnerability occurs when an S3 bucket policy allows the delete action from all principals (`*`), which can lead to unauthorized deletion of data and potential data loss or service disruption. Even when IP address conditions are applied, allowing delete actions from all principals presents a significant security risk as it could be exploited if the IP restriction is bypassed or misconfigured. An insecure configuration looks like the following: ``` { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::my_tf_test_bucket/*" } ``` To secure your S3 bucket, either explicitly deny the action or restrict it to specific principals: ``` { "Effect": "Deny", "Action": "s3:*", "Resource": "arn:aws:s3:::my_tf_test_bucket/*" } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_s3_bucket_policy" "negative1" { bucket = aws_s3_bucket.b.id policy = <