DEV Community: Shieldly The latest articles on DEV Community by Shieldly (@shieldlyio). https://dev.to/shieldlyio https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4002311%2F46dd97e3-625c-4be8-8ec0-bf8dcd4c90d4.png DEV Community: Shieldly https://dev.to/shieldlyio en Securing S3 Bucket Policies: Public Access, Conditions, and Common Mistakes Shieldly Thu, 25 Jun 2026 12:24:23 +0000 https://dev.to/shieldlyio/securing-s3-bucket-policies-public-access-conditions-and-common-mistakes-1kbe https://dev.to/shieldlyio/securing-s3-bucket-policies-public-access-conditions-and-common-mistakes-1kbe <blockquote> <p><em>Originally published at <a href="https://www.shieldly.io/blog/" rel="noopener noreferrer">shieldly.io/blog</a>.</em></p> </blockquote> <p>S3 bucket policies are written once and forgotten. They survive team changes, architecture pivots, and migration projects — and they accumulate permissions that nobody intended to leave open. S3 misconfigurations have been behind some of the largest cloud data breaches on record.</p> <h2> Why S3 Bucket Policies Matter </h2> <p>Bucket policies are resource-based policies attached to the bucket itself. They can grant access to principals that have no IAM permissions at all — including anonymous callers — if the policy allows it. A single misconfigured statement can override months of careful IAM work.</p> <h2> The Three Most Dangerous Patterns </h2> <h3> 1. Principal: * with no condition </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>An unconditioned wildcard principal means any AWS account, any IAM entity, and any unauthenticated caller can invoke the allowed actions. On a public S3 endpoint this is the open internet.</p> <p><strong>Fix:</strong> Add a condition — <code>aws:PrincipalOrgID</code>, <code>aws:SourceArn</code>, or <code>aws:PrincipalArn</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalOrgID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"o-yourorgid123"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 2. Missing s3:SecureTransport condition </h3> <p>Without <code>aws:SecureTransport: true</code>, the policy permits access over unencrypted HTTP. Credentials and data travel in plaintext. Add this to every Allow statement:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SecureTransport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3. Overly broad Action grants </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="w"> </span></code></pre> </div> <p><code>s3:*</code> includes <code>s3:DeleteObject</code>, <code>s3:PutBucketPolicy</code>, and <code>s3:DeleteBucket</code>. A policy intended to share read access becomes a full-control grant. Replace with the exact actions needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <h2> S3 Block Public Access Interaction </h2> <p>Block Public Access (BPA) settings at the account and bucket level override bucket policies. But they only block policies that grant access to <code>Principal: *</code> — a policy granting access to a specific external account bypasses BPA entirely. BPA is not a substitute for correct bucket policy authoring.</p> <h2> What a Secure Bucket Policy Looks Like </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:role/my-app-role"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SecureTransport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"arn:aws:s3:::my-bucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SecureTransport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Explicit principal, scoped actions, HTTPS enforced, deny-on-HTTP for belt-and-suspenders.</p> <p><em>Analyze S3 bucket policies automatically — paste into <a href="https://www.shieldly.io/app/iam" rel="noopener noreferrer">Shieldly's free AI-Powered analysis</a>. No signup, no credit card.</em></p> <p><em>Launch offer: code <code>90Off2M</code> — 90% off first 2 months. Pro from $1.90/mo. <a href="https://www.shieldly.io/pricing" rel="noopener noreferrer">shieldly.io/pricing</a></em></p> aws s3 security cloud Catching Risky IAM in CloudFormation Templates Before You Deploy Shieldly Thu, 25 Jun 2026 12:23:09 +0000 https://dev.to/shieldlyio/catching-risky-iam-in-cloudformation-templates-before-you-deploy-mno https://dev.to/shieldlyio/catching-risky-iam-in-cloudformation-templates-before-you-deploy-mno <blockquote> <p><em>Originally published at <a href="https://www.shieldly.io/blog/" rel="noopener noreferrer">shieldly.io/blog</a>.</em></p> </blockquote> <p>Most IAM security conversations center on the AWS console or raw JSON policy documents. But a significant share of production IAM misconfigurations originates in CloudFormation templates. By the time a CF stack is deployed, the IAM roles and policies inside it are live — and unless you reviewed the template before running <code>cdk deploy</code> or <code>aws cloudformation create-stack</code>, you may not have noticed what you just granted.</p> <h2> Why CloudFormation IAM Risk Is Different </h2> <p>In a CloudFormation template, IAM roles are buried alongside compute resources, storage buckets, and networking config. Reviewers focused on architecture often skim past the <code>Properties.Policies</code> block on a Lambda execution role.</p> <p>A single CloudFormation template may create five roles, two managed policy attachments, and three inline policies — all in a single deploy. The blast radius of an overly-permissive role is multiplied by every resource that role is attached to.</p> <h2> The Most Common CF IAM Mistakes </h2> <p><strong>AdministratorAccess on Lambda execution roles.</strong> Tempting during development. In production it grants <code>Action: *</code> on <code>Resource: *</code> to every invocation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># DO NOT SHIP THIS</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AdministratorAccess</span> </code></pre> </div> <p><strong><code>Action: *</code> in inline policies.</strong> Inline policies defined inside an <code>AWS::IAM::Role</code> resource are easy to overlook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">InlinePolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># Admin access, probably unintentional</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> </code></pre> </div> <p><strong>Missing permission boundaries on auto-created roles.</strong> Without a boundary, any policy attached to the role later is unconstrained.</p> <p><strong>Wildcard Resource on DynamoDB and S3.</strong> Scoping actions correctly but leaving <code>Resource: *</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dynamodb:GetItem</span> <span class="pi">-</span> <span class="s">dynamodb:PutItem</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># applies to every table in the account</span> </code></pre> </div> <p>Fix: replace with the specific table ARN.</p> <h2> How CDK Makes It Easier to Slip Up </h2> <p>CDK provides escape hatches — <code>addToRolePolicy</code>, <code>addOverride</code>, raw <code>PolicyStatement</code> objects — that let developers bypass guardrails. A single escape-hatch call can inject an <code>Action: *</code> statement into an otherwise well-scoped role, and nothing in the CDK build output will flag it.</p> <h2> Catching It Before Deploy </h2> <p><strong>1. Analyze the synthesized template.</strong> <code>cdk synth</code> produces the CloudFormation JSON/YAML. Analyze that output before any deploy command runs.</p> <p><strong>2. Policy review gates in CI.</strong> Add a template analysis step to your CI pipeline that runs on every PR touching infrastructure files. Fail the pipeline on HIGH or CRITICAL IAM findings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/shieldly.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Analyze CloudFormation IAM</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">shieldly-io/action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="s">cdk.out/**/*.template.json</span> <span class="na">fail-on-severity</span><span class="pi">:</span> <span class="s">HIGH</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SHIELDLY_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SHIELDLY_API_KEY }}</span> </code></pre> </div> <p><em>Analyze CF templates automatically — paste a template into <a href="https://www.shieldly.io/app/iam" rel="noopener noreferrer">Shieldly's free AI-Powered analysis</a>. No signup, no credit card.</em></p> <p><em>Launch offer: code <code>90Off2M</code> — 90% off first 2 months. Pro from $1.90/mo. <a href="https://www.shieldly.io/pricing" rel="noopener noreferrer">shieldly.io/pricing</a></em></p> aws cloudformation iac security AWS IAM NotAction vs Deny: The Misread Statement That Grants Everything Shieldly Thu, 25 Jun 2026 11:57:10 +0000 https://dev.to/shieldlyio/aws-iam-notaction-vs-deny-the-misread-statement-that-grants-everything-3pl6 https://dev.to/shieldlyio/aws-iam-notaction-vs-deny-the-misread-statement-that-grants-everything-3pl6 <blockquote> <p><em>Originally published at <a href="https://www.shieldly.io/blog/" rel="noopener noreferrer">shieldly.io/blog</a>.</em></p> </blockquote> <p><code>NotAction</code> is one of the most misunderstood IAM elements. Its name suggests denial but it does not deny anything. When paired with <code>Effect: Allow</code>, it grants access to every action in all of AWS except the ones you listed.</p> <h2> What NotAction Actually Means </h2> <p><code>NotAction</code> inverts the <code>Action</code> element. Instead of listing what a statement covers, you list what it <strong>excludes</strong> — and the statement covers everything else.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NotAction"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"iam:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This allows <strong>every action across every AWS service except IAM and STS</strong>. That includes <code>s3:DeleteObject</code>, <code>ec2:RunInstances</code>, <code>rds:CreateDBSnapshot</code>, <code>lambda:InvokeFunction</code>, and everything else. The author almost certainly meant to restrict IAM access — they accidentally granted everything else.</p> <h2> The One Legitimate Use Case </h2> <p><code>NotAction</code> with <code>Effect: Deny</code> is the one safe pattern. It is commonly used in Service Control Policies to create a "deny all except break-glass" control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NotAction"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:CreateLoginProfile"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:role/BreakGlassRole"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This denies everything except the listed break-glass actions, for everyone except the break-glass role.</p> <h2> How to Rewrite the Dangerous Pattern </h2> <p>If you wrote <code>NotAction</code> + <code>Effect: Allow</code> trying to deny specific actions, replace it:</p> <p><strong>Instead of this (grants everything except IAM):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NotAction"</span><span class="p">:</span><span class="w"> </span><span class="s2">"iam:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Write this (allows only what you need):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then add an explicit Deny for anything you want blocked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"iam:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>Effect: Deny</code> with an explicit action list is not the same as <code>NotAction Allow</code> — the former creates a hard deny, the latter creates a broad allow. They are opposite things.</p> <p><em>Catch IAM statement mistakes automatically — paste a policy into <a href="https://www.shieldly.io/app/iam" rel="noopener noreferrer">Shieldly's free AI-Powered analysis</a>. No signup, no credit card.</em></p> <p><em>Launch offer: code <code>90Off2M</code> — 90% off first 2 months. Pro from $1.90/mo. <a href="https://www.shieldly.io/pricing" rel="noopener noreferrer">shieldly.io/pricing</a></em></p> aws security iam cloud