S3 policy grants all permissions to any principal Affecting S3 service in AWS

Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.

• If an aws_s3_bucket policy is defined in the bucket's policy field, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:

  • Invalid principals:

    • "Principal": { "AWS": "*" }
    • "Principal": "*"

  • Invalid actions:

    • "*"
    • "s3:*"

  • Invalid effect:

    • "Effect": "Allow"

# Compliant bucket policy
data "aws_iam_policy_document" "example" {
  statement {
    effect    = "Deny"
    actions   = ["s3:*"]
    resources = [
      aws_s3_bucket.example.arn,
      "${aws_s3_bucket.example.arn}/*",
    ]
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
  policy = data.aws_iam_policy_document.example.json
}

• If a bucket policy is defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above.

# Compliant bucket policy
data "aws_iam_policy_document" "example" {
  statement {
    effect    = "Deny"
    actions   = ["s3:*"]
    resources = [
      aws_s3_bucket.example.arn,
      "${aws_s3_bucket.example.arn}/*",
    ]
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_policy" "example" {
  bucket = aws_s3_bucket.example.id
  policy = data.aws_iam_policy_document.example.json
}

Set Actions and Principals attributes of the policy to limited set, e.g Principals: {AWS: ['arn:aws:iam::1234:root]}.