---
title: >-
  S3 bucket policies should not grant access to accounts outside the
  organization
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > S3 bucket policies should not grant
  access to accounts outside the organization
---

# S3 bucket policies should not grant access to accounts outside the organization
 
## Description{% #description %}

S3 bucket policies should only grant access to AWS accounts that belong to the same AWS Organization. When a bucket policy contains unconditioned `Allow` statements referencing AWS principals from accounts outside the organization, it creates a risk of unauthorized data access or exfiltration by third parties.

This rule evaluates each `Allow` statement in the bucket policy that has no conditions attached, extracts the account ID from any AWS principal ARNs (including bare 12-digit account IDs), and verifies that those accounts are members of the same AWS Organization as the bucket owner. Same-account access, conditioned statements, service principals, and non-account-based principals are not flagged.

### Blind spots{% #blind-spots %}

- Conditioned `Allow` statements granting access to external accounts are not flagged. If the condition does not adequately restrict access (e.g., the condition checks `s3:prefix` rather than `aws:PrincipalOrgID`), external access may go undetected.
- AWS-managed service accounts (e.g., the [ELB log delivery account](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html) `127311923021`) are flagged as external since they are not members of any customer organization. These are expected false positives for buckets that use [ELB access logging](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html) or similar AWS-managed integrations.

## Remediation{% #remediation %}

Review the S3 bucket policy and remove or restrict unconditioned `Allow` statements that grant access to AWS accounts outside your organization.

1. Open the [Amazon S3 console](https://console.aws.amazon.com/s3/) and select the affected bucket.
1. Navigate to the **Permissions** tab and under **Bucket policy**, choose **Edit**.
1. Identify any `Allow` statements where the `Principal` references an account not in your AWS Organization and no condition restricts the access scope.
1. Either remove the external account principal, replace it with an organization-internal account, or add a condition key such as `aws:PrincipalOrgID` to scope access to your organization. For guidance on restricting access with organization-based conditions, refer to [AWS Organizations condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid).
1. Save the updated policy.

For a broader overview of S3 bucket policy management, refer to [Adding a bucket policy using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html).