Terraform Public Bucket Policy Principal Wildcard

Description

Detects AWS S3 bucket policies that allow unauthorized public access by checking for wildcard principals (*) in policy statements. Such configurations can expose bucket contents to anyone on the internet, potentially leading to data breaches and unauthorized access to sensitive information.

Weakness:

203 - Unauthorized access to files - Cloud Storage Services

Category: Access Subversion

Detection Strategy

• Identifies AWS S3 bucket policy resources in Terraform configuration files

• Examines policy statements to find any that use wildcard (*) as the principal, which grants access to all users

• Evaluates whether these policy statements also grant dangerous permissions that could expose bucket contents

• Reports a vulnerability when a bucket policy combines wildcard principals with permissive access rights

Vulnerable code example

resource "aws_s3_bucket_policy" "vulnerable_bucket" {
  bucket = "my-bucket"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"...

✅ Secure code example

resource "aws_s3_bucket_policy" "secure_bucket" {
  bucket = "my-bucket"

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "SecureBucketPolicy"
    Statement = [
      {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.