Resource-based policies granting access to all users can lead to information leakage.

Why is this an issue?

Resource-based policies in AWS define who can access a resource and what actions they can perform. When the Principal element of a policy is set to "*", access is granted to all users, including anonymous and unauthenticated ones. This violates the principle of least privilege and can expose sensitive data or operations to unauthorized parties.

What is the potential impact?

Unauthorized data access

When a resource-based policy grants access to all principals, any user on the internet can read, modify, or delete the resource’s contents. This can lead to data breaches, exposure of sensitive information, and potential misuse of cloud resources.

How to fix it

Restrict the principal block to specific AWS accounts or IAM roles instead of using the wildcard "*".

Code examples

Noncompliant code example

resource "aws_s3_bucket_policy" "mynoncompliantpolicy" {  # Noncompliant
  bucket = aws_s3_bucket.mybucket.id
  policy = jsonencode({
    Id = "mynoncompliantpolicy"
    Version = "2012-10-17"
    Statement = [{
            Effect = "Allow"
            Principal = {
                AWS = "*"
            }
            Action = [
                "s3:PutObject"
            ]
            Resource: "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
  })
}

Compliant solution

resource "aws_s3_bucket_policy" "mycompliantpolicy" {
  bucket = aws_s3_bucket.mybucket.id
  policy = jsonencode({
    Id = "mycompliantpolicy"
    Version = "2012-10-17"
    Statement = [{
            Effect = "Allow"
            Principal = {
                AWS = [
                    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
                ]
            }
            Action = [
                "s3:PutObject"
            ]
            Resource = "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
  })
}

Resources

Documentation

Standards