Predefined permissions, also known as canned ACLs, are an easy way to grant broad privileges to predefined groups or users.

The following canned ACLs are security-sensitive:

• PublicRead, PublicReadWrite grant respectively "read" and "read and write" privileges to everyone in the world (AllUsers group).
• AuthenticatedRead grants "read" privilege to all authenticated users (AuthenticatedUsers group).

Why is this an issue?

When an S3 bucket is configured with a canned ACL such as PublicRead, PublicReadWrite, or AuthenticatedRead, it grants broad read or write access to either all internet users or all authenticated AWS users, far beyond what is typically required.

What is the potential impact?

Unauthorized data access

When an S3 bucket is publicly readable, any user on the internet can enumerate and download its contents. This can expose sensitive business data, personally identifiable information (PII), credentials, or configuration files to unauthorized parties.

Data tampering

When an S3 bucket is publicly writable (e.g., PublicReadWrite), attackers can upload malicious files, overwrite existing objects, or delete bucket content, leading to data integrity loss or supply chain attacks if the bucket serves application assets.

How to fix it

Set the acl argument to private (the default) to restrict bucket access to the owner only.

Code examples

Noncompliant code example

resource "aws_s3_bucket" "mynoncompliantbucket" {
  bucket = "mynoncompliantbucketname"
  acl    = "public-read-write" # Noncompliant
}

Compliant solution

resource "aws_s3_bucket" "mycompliantbucket" {
  bucket = "mycompliantbucketname"
  acl    = "private"
}

Resources

Documentation

• AWS Documentation - Access control list (ACL) overview (canned ACLs)
• AWS Documentation - Controlling access to a bucket with user policies

Standards

• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• CWE - CWE-284 - Improper Access Control