Example SCP: Deny S3 bucket creation if ACLs are enabled

Service Control Policy example that denies s3:CreateBucket permission unless the bucket owner enforced setting is applied for Object Ownership.

Service Control Policy example: Deny s3:CreateBucket if S3 bucket ACLs are enabled

S3 Bucket ACLs are a legacy access control mechanism and AWS recommends disabling this when creating new S3 buckets. Since IAM is the defacto standard to secure AWS resources, it's best practice to use bucket policies to control access to objects in the S3 bucket.

From the AWS console, you'll receive a notice to disable ACLs when you're creating a new S3 bucket.

Application Load Balanced Fargate Service architecture diagram

To enforce object ownership within an AWS Organization for every user that wants to create new S3 buckets, you can apply the following Service Control Policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceS3BucketOwnerFullControl",
      "Action": "s3:CreateBucket",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-object-ownership": "BucketOwnerEnforced"
        }
      }
    }
  ]
}

json

How to create the AWS Service Control Policy

Log in to the AWS console and then go to the Service control policies tab under the AWS Organizations service where you can create the new policy. Note: make sure to have AWS Organizations enabled.

Learn more about AWS Service Control Policies

If you are in a position where you have responsibility for the AWS Cloud infrastructure, then look at The complete guide to AWS Service Control Policies.

Share on Twitter

Other code examples that might be helpful to you

Subscribe to the newsletter

If you're interested in AWS Cloud, Infrastructure as Code, DevOps, and getting certified in AWS then subscribe to my newsletter to get exclusive tips and tricks on becoming a successful Cloud Engineer.

- subscribers

← Back to library