S3 bucket policy allows list actions for all IAM principals and public users Affecting S3 service in AWS

    Severity Framework Snyk CCSS
    Rule category Data / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    AWS-Well-Architected CSA-CCM ISO-27001 SOC-2
  • Snyk ID SNYK-CC-00112
  • credit Snyk Research Team


S3 bucket policies list actions enable users to enumerate information on an organization's S3 buckets and objects. Malicious actors may use this information to identify potential targets for hacks. Users should scope list actions only to users and roles that require this information - not all principals.

How to fix?

Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.

If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:

  • Invalid principals:
    • "*"
    • "AWS": "*"
  • Invalid actions:
    • "s3:List*"
    • "s3:ListJobs"
    • "s3:ListBucket"
    • "s3:ListBucketVersions"
    • "s3:ListMultipartUploadParts"
  • Invalid effect:
    • Allow

If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above

Example Configuration

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # other required fields here
resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
        Condition = {
          NotIpAddress = {
            "aws:SourceIp" = ""
  # other required fields here