S3 bucket ACLs should not be accessible to all authenticated user¶
This control checks whether AWS S3 bucket ACL allow access to all authenticated users.
How to fix¶
Attribute rule[0].object_ownership of aws_s3_bucket_ownership_controls must be "BucketOwnerEnforced".
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Open source module (terraform-aws-modules)¶
If you use terraform-aws-modules/s3-bucket/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = ">=5.0.0"
bucket = "abc123"
object_ownership = "BucketOwnerEnforced"
}
Option 2: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_s3_bucket_ownership_controls.
resource "aws_s3_bucket" "this" {
bucket = "example-abc123"
force_destroy = true
}
resource "aws_s3_bucket_ownership_controls" "this" {
bucket = "example-bucket-abc123"
rule {
object_ownership = "BucketOwnerEnforced"
}
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
s3_bucket_not_accessible_to_all_authenticated_userCheckov Check:
CKV2_AWS_43Powerpipe Control:
aws_compliance.control.s3_bucket_not_accessible_to_all_authenticated_user