← all rules

iac/terraform/tf-s3-public-acl

S3 bucket ACL is public

highTerraformiac-terraform

What it detects

An S3 bucket with a `public-read` or `public-read-write` ACL is readable (or writable) by anyone on the internet. This is one of the most common sources of large-scale data leaks.

Remediation

Set `acl = "private"` and front the bucket with a CloudFront/OAC or pre-signed URLs if public objects are genuinely required.

How it runs

Detection layer not documented.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.