Skip to main content


Ensure the bucket Access Control List (ACL) does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP]


The S3 bucket ACL gives any authenticated AWS user total control of the bucket and the bucket ACL. It is best practice to restrict FULL_CONTROL.

Note: S3 buckets created with the default/recommended AWS settings have ACLs turned off and are therefore compliant with this policy.


Perform the following to revoke FULL_CONTROL for all AWS users:

  1. Sign in to the AWS Management Console.
  2. Select Services.
  3. Select S3.
  4. Select the bucket to change.
  5. Navigate to Permissions.
  6. Navigate to Access Control List and select Edit.
  7. Against Authenticated users group (anyone with an AWS account), clear 'List' and 'Write' under Objects, and 'Read' and 'Write' under Bucket ACL.
  8. Select Save changes.
  9. Repeat steps 4-8 for each bucket requiring updated permissions.