--- title: S3 bucket allows put action from all principals description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket allows put action from all principals --- # S3 bucket allows put action from all principals {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-s3-bucket-allows-put-action-from-all-principals` **Provider:** AWS **Platform:** Terraform **Severity:** Critical **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) ### Description{% #description %} When an S3 bucket policy allows PUT actions from all principals (`*`), it creates a significant security risk by permitting anyone on the internet to upload files to your bucket. This vulnerability can lead to data tampering, malicious file uploads, increased storage costs, and potentially serve as an attack vector for distributing malware or other harmful content through your infrastructure. To secure your S3 bucket, explicitly deny open PUT permissions, as shown below, or restrict access to specific principals: ```hcl // Insecure configuration Statement: [ { "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject" } ] // Secure configuration Statement: [ { "Effect": "Deny", "Action": "s3:*" } ] ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_s3_bucket_policy" "negative1" { bucket = aws_s3_bucket.b.id policy = <