S3 access control lists (ACLs) should not be used to manage user access to buckets
Severity: Medium
Resource Types: AWS::S3::Bucket
Description
This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets.
ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using IAM policies or S3 bucket policies to more easily manage access to your S3 buckets.
Remediation
For more information on managing access to S3 buckets, see Bucket policies and user policies in the Amazon S3 User Guide. For details on how to review your current ACL permissions, see Access control list (ACL) overview in the Amazon S3 User Guide.