S3 Bucket Policy Grants Public Read
s3-bucket-policy-public-read
What this rule checks
Detects S3 bucket policies that allow object reads to a wildcard principal with no scoping condition โ the bucket contents are publicly downloadable.
How to fix it
- 1Serve public content through CloudFront with Origin Access Control and scope the bucket policy to the distribution
- 2For genuinely public datasets, suppress this rule on the bucket policy to record the decision
import * as s3 from 'aws-cdk-lib/aws-s3';
const bucket = new s3.Bucket(this, 'Assets');
new s3.CfnBucketPolicy(this, 'Policy', {
bucket: bucket.bucketName,
policyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: '*',
Action: 's3:GetObject',
Resource: bucket.arnForObjects('*'),
},
],
},
});import * as s3 from 'aws-cdk-lib/aws-s3';
const bucket = new s3.Bucket(this, 'Assets');
new s3.CfnBucketPolicy(this, 'Policy', {
bucket: bucket.bucketName,
policyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: { Service: 'cloudfront.amazonaws.com' },
Action: 's3:GetObject',
Resource: bucket.arnForObjects('*'),
Condition: {
StringEquals: {
'aws:SourceArn':
'arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE',
},
},
},
],
},
});CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::S3::BucketPolicyIntentional? Suppress this finding
Sometimes a flag is deliberate โ a genuinely public endpoint, say. You can dismiss s3-bucket-policy-public-read and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "s3-bucket-policy-public-read", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::s3-bucket-policy-public-read',
reason: 'Why this is intentional',
});Use the rule ID s3-bucket-policy-public-read shown above โ not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 136+ other rules locally against your synthesised CDK app โ free, no account, your code never leaves your machine.