For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-ea8.md. A documentation index is available at /llms.txt.

S3 bucket policies should not allow wildcard principals

s3

Description

S3 bucket resource policies should not grant access to wildcard principals (Principal: "*") without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as aws:SourceAccount, aws:SourceArn, or aws:PrincipalOrgID) are not flagged, because the condition restricts effective access.

Remediation

Review and restrict the bucket policy to specific AWS accounts, IAM principals, or services. Alternatively, add scoping conditions that restrict access. For guidance, refer to Bucket policy examples.