Resource-based policies granting access to all users can lead to information leakage.
There is a risk if you answered yes to any of those questions.
It’s recommended to implement the least privilege principle, i.e. to grant necessary permissions only to users for their required tasks. In the context of resource-based policies, list the principals that need the access and grant to them only the required privileges.
This policy allows all users, including anonymous ones, to access an S3 bucket:
resource "aws_s3_bucket_policy" "mynoncompliantpolicy" { # Sensitive
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Id = "mynoncompliantpolicy"
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "*"
}
Action = [
"s3:PutObject"
]
Resource: "${aws_s3_bucket.mybucket.arn}/*"
}
]
})
}
This policy allows only the authorized users:
resource "aws_s3_bucket_policy" "mycompliantpolicy" {
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Id = "mycompliantpolicy"
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
]
}
Action = [
"s3:PutObject"
]
Resource = "${aws_s3_bucket.mybucket.arn}/*"
}
]
})
}