Rules Contributing to AWS S3 Bucket Policy with Public Access Alert

The following rules are used to detect S3 bucket policies that allow unauthorized public access. Any one or more of these will trigger the AWS S3 Bucket Policy with Public Access Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Public Access in AWS S3 Bucket Policy

Detects S3 bucket policies that allow public access by granting permissions to all principals (Principal: "*"). This configuration can result in unauthorized data exposure and potential data breaches.

More details

Rule ID

aws_config_2

Query

{'selection1': {'configResourceType': 'AWS::S3::Bucket'}, 'selection2': {'bucketPolicy_statement_principle': '*', 'bucketPolicy_statement_effect': 'Allow', 'bucketPolicy_statement_action': ['s3:GetObject']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0009, T1530

References

N/A

Severity

Suppression Logic Based On

aws.configurationItem.ARN
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2025/12/17	high	N/A