---
title: AWS S3 Bucket ACL made public
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > AWS S3 Bucket ACL made public
---

# AWS S3 Bucket ACL made public
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when an S3 bucket ACL is successfully modified to grant public access.

## Strategy{% #strategy %}

This rule monitors the [`PutBucketAcl`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html) API call to detect when an S3 bucket is made publicly accessible. The rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array and `@requestParameters.x-amz-acl` parameter to identify public access grants. Public access is identified when the URI contains `http://acs.amazonaws.com/groups/global/AuthenticatedUsers` or `http://acs.amazonaws.com/groups/global/AllUsers`, or when the [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl) parameter includes `public-read` or `public-read-write`. Making S3 buckets publicly accessible can expose sensitive data to unauthorized users and is often unintentional or the result of misconfiguration.

## Triage and response{% #triage-and-response %}

- Determine if `{{@userIdentity.arn}}` is authorized to modify S3 bucket permissions and whether this change was intentional.
- Review the bucket contents to assess if any sensitive data has been exposed to public access.
- Verify if the public ACL configuration aligns with legitimate business requirements or if it represents a misconfiguration.
- Investigate whether the same user credentials made other unauthorized API calls or bucket modifications.
- Check S3 access logs to identify if any unauthorized parties accessed the bucket while it was publicly accessible.

## Changelog{% #changelog %}

7 April 2022 - Updated rule and signal message. 23 October 2025 - Updated rule with canned ACL logic `@requestParameters.x-amz-acl:(public-read OR public-read-write)`