--- title: S3 bucket allows list action from all principals description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket allows list action from all principals --- # S3 bucket allows list action from all principals {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-s3-bucket-allows-list-action-from-all-principals` **Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) ### Description{% #description %} When S3 bucket policies allow List actions (such as `s3:ListObjects`) from all principals (`*`), they create a significant security risk by potentially exposing sensitive data to unauthorized users. This configuration can lead to information disclosure vulnerabilities where private files, folder structures, and metadata become publicly accessible, potentially revealing confidential information or intellectual property. To remediate this issue, either deny the list actions explicitly or restrict them to specific trusted principals and IP addresses. Compare the insecure configuration, `"Effect": "Allow", "Principal": "*", "Action": "s3:ListObjects"`, with the secure approach, `"Effect": "Deny", "Action": "s3:*"`, using appropriate conditions to limit access. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_s3_bucket_policy" "negative1" { bucket = aws_s3_bucket.b.id policy = <