RCP should prevent S3 buckets from using ACLs

iam

Description

A Resource Control Policy (RCP) should prevent S3 buckets from using ACLs. S3 ACLs are a legacy access control mechanism that can lead to unintended public or cross-account access. AWS recommends disabling ACLs by setting object ownership to BucketOwnerEnforced. An RCP can enforce this standard across the organization by denying s3:PutBucketAcl and s3:PutObjectAcl, or restricting s3:CreateBucket to require BucketOwnerEnforced object ownership.

This rule also flags RCPs that use NotAction to exempt S3 ACL actions from a deny statement. A NotAction-based exemption creates a gap that could be exploited if the corresponding explicit deny is ever removed.

Note: All new S3 buckets created after April 2023 have ACLs disabled by default. This RCP ensures existing buckets cannot re-enable ACLs and new buckets maintain the secure default.

Remediation

Create a Resource Control Policy that explicitly prevents ACL usage using Action (not NotAction) on S3 buckets and attach it to the organization root. Remove any NotAction-based deny statements that exempt S3 actions. The RCP should deny s3:PutBucketAcl and s3:PutObjectAcl operations, or require s3:x-amz-object-ownership to be BucketOwnerEnforced for bucket creation. Refer to the Controlling ownership of objects and RCP syntax documentation for guidance.