IAM policies should not allow broad list actions on S3 buckets


Should a malicious actor gain access to a role with a policy that includes broad list actions such as ListAllMyBuckets, the malicious actor would be able to enumerate all buckets and potentially extract sensitive data.

Remediation Steps

AWS Console

  • Navigate to IAM.

  • In the left navigation, select Policies.

  • Select the policy that includes S3 list actions, and ensure that broad list actions (ListBuckets, S3:List*, S3:*) are not included.


  • Ensure that IAM policies do not include broad S3 list actions:

    • aws iam update-policy --policy-id PolicyID --policy-document file://policy.json


     "Version": "2012-10-17",
     "Statement": [
        "Action": "s3:Get*",
        "Effect": "Allow",
        "Resource": "*"


Example Configuration

resource "aws_iam_group_policy" "example" {
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
        Effect = "Deny"
        Action = [
        Resource = "*"
  # other required fields here