Check provider logo

Check if S3 buckets have ACLs enabled

s3_bucket_acl_prohibited

Severitymedium
Services3
by Prowler

Check if S3 buckets have ACLs enabled

Risk

S3 ACLs are a legacy access control mechanism that predates IAM. IAM and bucket policies are currently the preferred methods.

Run this check with Prowler CLI

prowler aws --checks s3_bucket_acl_prohibited

Run in Prowler Cloud
ARN template
arn:partition:s3:::bucket_name

Recommendation

Ensure that S3 ACLs are disabled (BucketOwnerEnforced). Use IAM policies and bucket policies to manage access.

Remediation

CLI

aws s3api put-bucket-ownership-controls --bucket <bucket-name> --ownership-controls Rules=[{ObjectOwnership=BucketOwnerEnforced}]

Native IAC

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html

Source Code

Resource Type

AwsS3Bucket