Writing Detections
Triaging Alerts
Alert Runbooks
Built-in Policies
AWS S3 Bucket Policy Does Not Use Allow With Not Principal
Remediation Effort
This policy validates that no S3 buckets have a policy that uses an Effect:Allow with a NotPrincipal. A configuration like this allows global access to that object with the specified actions to all entities except the specified NotPrincipal. It is very rare to need to use a NotPrincipal, and using a NotPrincipal with an Effect:Allow is almost always an incorrect configuration.
To remediate this, remove the grant that is using a NotPrincipal with an Effect:Allow, either by removing the grant entirely or re-writing it correctly.
Copy link