--- title: S3 bucket allows get action from all principals description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket allows get action from all principals --- # S3 bucket allows get action from all principals {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-s3-bucket-allows-get-action-from-all-principals` **Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) ### Description{% #description %} When S3 bucket policies allow the `GetObject` action from all principals (using `"Principal: "*"` or `"Principal": {"AWS": "*"}`), they expose private data to anyone on the internet, creating a significant data breach risk. This vulnerability could lead to unauthorized access to sensitive information, intellectual property theft, or compliance violations with regulations like GDPR or HIPAA. Instead of using permissive policies, such as the ones shown below, implement restrictive policies with explicit denials or properly scoped permissions that limit access to specific authenticated principals. ``` "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject" ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_s3_bucket" "negative1" { bucket = "my_tf_test_bucket" } resource "aws_s3_bucket_policy" "negative2" { bucket = aws_s3_bucket.b.id policy = <