Skip to main content

S3 access control lists (ACLs) should not be used to manage user access to buckets

Severity: Medium

Resource Types: AWS::S3::Bucket

Description

This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets.

ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using IAM policies or S3 bucket policies to more easily manage access to your S3 buckets.

Remediation

For more information on managing access to S3 buckets, see Bucket policies and user policies in the Amazon S3 User Guide. For details on how to review your current ACL permissions, see Access control list (ACL) overview in the Amazon S3 User Guide.