← all rules
iac/cloudformation/cfn-s3-public-acl
S3 bucket ACL is public
highCloudFormationiac-cloudformation
What it detects
An S3 bucket with `AccessControl: PublicRead` / `PublicReadWrite` is readable (or writable) by anyone on the internet — one of the most common sources of large-scale data leaks.
Remediation
Remove the public `AccessControl` and front the bucket with CloudFront/OAC or pre-signed URLs if public objects are genuinely required.
How it runs
Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.