Resource-based policies granting access to all users can lead to information leakage.

Why is this an issue?

Resource-based policies in AWS define who can access a resource and what actions they can perform. When the Principal element of a policy is set to "*", access is granted to all users, including anonymous and unauthenticated ones. This violates the principle of least privilege and can expose sensitive data or operations to unauthorized parties.

What is the potential impact?

Unauthorized data access

When a resource-based policy grants access to all principals, any user on the internet can read, modify, or delete the resource’s contents. This can lead to data breaches, exposure of sensitive information, and potential misuse of cloud resources.

How to fix it

Restrict the Principal element to specific AWS accounts or IAM roles instead of using the wildcard "*".

Code examples

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy' # Noncompliant
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "*" # all principals / anonymous access
            Action: "s3:PutObject" # can put object
            Resource: arn:aws:s3:::mybucket/*

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Sub 'arn:aws:iam::${AWS::AccountId}:root' # only this principal
            Action: "s3:PutObject" # can put object
            Resource: arn:aws:s3:::mybucket/*

Resources

Documentation

Standards