---
title: S3 bucket policies should not allow wildcard principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > S3 bucket policies should not allow
  wildcard principals
---

# S3 bucket policies should not allow wildcard principals
 
## Description{% #description %}

S3 bucket resource policies should not grant access to wildcard principals (`Principal: "*"`) without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as `aws:SourceAccount`, `aws:SourceArn`, or `aws:PrincipalOrgID`) are not flagged, because the condition restricts effective access.

## Remediation{% #remediation %}

Review and restrict the bucket policy to specific AWS accounts, IAM principals, or services. Alternatively, add scoping conditions that restrict access. For guidance, refer to [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html).