AWS S3 Bucket Policy Does Not Use Allow With Not Principal


Remediation Effort



This policy validates that no S3 buckets have a policy that uses an Effect:Allow with a NotPrincipal. A configuration like this allows global access to that object with the specified actions to all entities except the specified NotPrincipal. It is very rare to need to use a NotPrincipal, and using a NotPrincipal with an Effect:Allow is almost always an incorrect configuration.


To remediate this, remove the grant that is using a NotPrincipal with an Effect:Allow, either by removing the grant entirely or re-writing it correctly.


Last updated