---
title: RCP should prevent S3 buckets from using ACLs
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > RCP should prevent S3 buckets from
  using ACLs
---

# RCP should prevent S3 buckets from using ACLs
 
## Description{% #description %}

A Resource Control Policy (RCP) should prevent S3 buckets from using ACLs. S3 ACLs are a legacy access control mechanism that can lead to unintended public or cross-account access. AWS recommends disabling ACLs by setting object ownership to `BucketOwnerEnforced`.

This rule verifies that an RCP meets **at least one** of the following criteria:

- Denies **both** `s3:PutBucketAcl` **and** `s3:PutObjectAcl` (these can be in separate deny statements)
- Denies `s3:CreateBucket` with a condition requiring `s3:x-amz-object-ownership` to be `BucketOwnerEnforced`
- Uses a wildcard deny (`s3:*` or `*`)

Denying only `s3:PutBucketAcl` without `s3:PutObjectAcl` (or vice versa) is insufficient — an attacker could still set ACLs at the object level to grant external access to individual objects.

**Note:** All new S3 buckets created after April 2023 have ACLs disabled by default. This RCP ensures existing buckets cannot re-enable ACLs and new buckets maintain the secure default.

## Remediation{% #remediation %}

Create a Resource Control Policy that explicitly prevents ACL usage using `Action` (not `NotAction`) on S3 buckets and attach it to the organization root. Remove any `NotAction`-based deny statements that exempt S3 actions. The RCP should deny `s3:PutBucketAcl` and `s3:PutObjectAcl` operations, or require `s3:x-amz-object-ownership` to be `BucketOwnerEnforced` for bucket creation. Refer to the [Controlling ownership of objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) and [RCP syntax documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_syntax.html) for guidance.