Compliance

Lock down S3 bucket policies that hand sensitive actions to other AWS accounts

Security Hub S3.6 — a bucket policy that lets an outside account rewrite ACLs, encryption, or the policy itself is one statement away from data exfiltration; find and tighten them before someone else does.

12 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: S3.6

Cross-account bucket policies: the basics

Why letting another account touch your bucket policy is the dangerous part

An S3 bucket policy is a resource policy attached directly to the bucket. Unlike an IAM policy, it can grant access to principals that live in completely different AWS accounts — arn:aws:iam::222233334444:root in a Principal block hands the named account a foothold in your bucket. That's a legitimate feature used for log aggregation, cross-account data sharing, and vendor integrations. The risk is in which actions you hand over.

Security Hub control S3.6 checks whether a general purpose bucket policy lets a principal in another AWS account perform any of five high-blast-radius actions: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, and s3:PutObjectAcl. The control fails if the policy Allows one or more of those actions for an external account. These are the actions that let an outsider rewrite the rules — delete your policy, flip an object's ACL to public, or change the encryption configuration out from under you.

It's flagged High severity because the actions on the list aren't read or write of data — they're control of the bucket's security posture. If an external account can call PutBucketPolicy, it can grant itself anything. If it can call PutObjectAcl, it can make individual objects world-readable. The finding is the gap between "we share this bucket with a partner" and "that partner can quietly reconfigure who else gets in."

In this lesson you'll learn how S3 bucket policies grant cross-account access, exactly which five administrative actions Security Hub S3.6 treats as off-limits for external principals, and why those actions matter far more than ordinary read/write. You'll see how to audit every bucket policy in an account, how to read a policy statement to spot an external Principal, and the safe remediation pattern — scope the principal, drop the dangerous actions, and add a confused-deputy guard — that keeps legitimate sharing working without handing over control of the bucket.

Fun fact

The wildcard principal that opened the door to the planet

A surprising number of real S3 exposures trace back not to a malicious actor but to a single overly broad statement: "Principal": "*" paired with an Allow on a PutObjectAcl or PutBucketPolicy action. The author meant "any principal in our partner account" and reached for a wildcard to save time. Because S3 evaluates "Principal": "*" as every AWS account on Earth, plus anonymous callers, that one shortcut converted a private data-sharing bucket into one any AWS user could reconfigure. S3.6 exists precisely because this class of mistake is so easy to make and so catastrophic when the granted action is administrative rather than a plain read.

Tightening a cross-account bucket policy in action

Dev is the platform engineer on call for the weekly security-finding review. Security Hub has raised an S3.6 finding on acme-partner-exports, a bucket the analytics team uses to hand monthly data files to an external partner. The policy Allows the partner account arn:aws:iam::222233334444:root on s3:GetObject, s3:PutObject — and s3:PutObjectAcl. That last one is why it failed: the partner can flip the ACL on any object they touch to public-read.

He pulls the live policy and reads it carefully. The partner genuinely needs GetObject to retrieve the exports, and the analytics pipeline writes the files, so the partner doesn't even need PutObject. The PutObjectAcl grant is pure leftover — copied from an old template where the partner used to upload. Nobody has called it in months, which he confirms from CloudTrail.

Dev rewrites the statement to grant the partner only s3:GetObject, scoped to the arn:aws:iam::222233334444:root principal and the specific export prefix, and adds an aws:SourceAccount condition as a confused-deputy guard. He applies it, re-runs the finding, and watches S3.6 flip to PASSED. The partner integration keeps working — they were only ever reading — and the bucket can no longer be reconfigured from outside. Total time: about eight minutes, most of it reading CloudTrail to confirm the action was unused.

First, pull the policy for a flagged bucket and look for an external account principal paired with one of the five sensitive actions.

$ aws s3api get-bucket-policy --bucket acme-partner-exports --query Policy --output text | jq '.Statement[]'

{

"Sid": "PartnerExportAccess",

"Effect": "Allow",

"Principal": { "AWS": "arn:aws:iam::222233334444:root" },

"Action": [

"s3:GetObject",

"s3:PutObject",

"s3:PutObjectAcl"

"Resource": "arn:aws:s3:::acme-partner-exports/*"

}

# External account is granted s3:PutObjectAcl — this is why S3.6 fails.

An external Principal plus s3:PutObjectAcl lets the partner make objects public — exactly what S3.6 catches.

After rewriting the statement to grant only s3:GetObject (scoped + with a confused-deputy condition), confirm the control now passes.

$ aws securityhub get-findings --filters '{"GeneratorId":[{"Value":"security-control/S3.6","Comparison":"EQUALS"}],"ResourceId":[{"Value":"arn:aws:s3:::acme-partner-exports","Comparison":"EQUALS"}]}' --query 'Findings[0].Compliance.Status'

[

"PASSED"

]

# Partner can still read exports; it can no longer rewrite ACLs or the policy.

Least-privilege sharing — read-only access stays, administrative actions are gone, and the finding clears.

S3.6 under the hooddeep dive

S3.6 is backed by the AWS Config managed rule s3-bucket-blacklisted-actions-prohibited. The rule evaluates each general purpose bucket's policy and fails if the policy Allows any principal from a different AWS account to perform one of the actions in the blacklistedactionpatterns parameter. For this control that parameter is fixed and not customizable: s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, and s3:PutObjectAcl. Any action not on that list is allowed to be granted cross-account without failing the rule — the control is deliberately narrow, targeting only the actions that let an outsider change the bucket's security posture.

The evaluation is change-triggered, so it re-runs whenever the bucket policy is modified, and "another AWS account" is determined by comparing the account in the Principal ARN to the bucket-owning account. A "Principal": "*" or a wildcard account ARN counts as external and will fail if it's allowed any blacklisted action. Note the control inspects the bucket policy specifically — it doesn't evaluate IAM identity policies in the other account, ACLs, or access points; those are covered by sibling controls (S3.12 for ACLs, S3.19 for access points).

The right remediation is least privilege: keep the external principal explicit (a specific account ARN or, better, a specific role ARN — never *), grant only the data actions the integration actually uses, and remove every administrative action from the cross-account statement. For partner integrations, add an aws:SourceAccount or aws:SourceArn condition to defend against the confused-deputy problem, where a third service is tricked into using its own permissions on your bucket.

# List every bucket, then dump each policy and flag the five S3.6 actions on external grants.
BLACKLIST='s3:DeleteBucketPolicy|s3:PutBucketAcl|s3:PutBucketPolicy|s3:PutEncryptionConfiguration|s3:PutObjectAcl'

for b in $(aws s3api list-buckets --query 'Buckets[].Name' --output text); do
  POLICY=$(aws s3api get-bucket-policy --bucket "$b" --query Policy --output text 2>/dev/null) || continue
  if echo "$POLICY" | grep -Eq "$BLACKLIST"; then
    echo "==> $b grants a blacklisted action; inspect the Principal:"
    echo "$POLICY" | jq '.Statement[] | select(.Effect=="Allow") | {Principal, Action}'
  fi
done

# For any hit, confirm the Principal is an external account (not your own / not a service principal),
# then rewrite the statement to drop the administrative actions and re-scope the principal.
aws s3api put-bucket-policy --bucket acme-partner-exports --policy file://tightened-policy.json

What is the impact of cross-account access to sensitive bucket actions?

The direct impact is loss of control over your own data store. If an external account can call s3:PutBucketPolicy, it can append a statement granting itself — or anyone — full access, and your original guardrails evaporate. s3:DeleteBucketPolicy lets it strip the policy entirely, falling back to whatever default access the account and ACLs permit. s3:PutObjectAcl and s3:PutBucketAcl let it set objects or the bucket to public-read. s3:PutEncryptionConfiguration lets it change or weaken encryption. Every one of these is a path from "shared" to "compromised" without the data owner doing anything wrong.

The second-order impact is data exfiltration by an insider or an attacker who has compromised the external account. AWS itself frames this control around least privilege: if a bucket policy allows access from external accounts, a malicious or careless party on the other side can exfiltrate data or open it to the world. Because the granted actions are administrative, the blast radius isn't one file — it's the whole bucket's access model, and the change can be made quietly and persist until the next audit catches it.

There's a compliance and audit impact too. S3.6 maps to NIST 800-53 controls around least privilege and configuration management (CA-9(1), CM-2) and NIST 800-171 boundary protection. A failed S3.6 on a bucket holding regulated data is the kind of finding that turns up in audit reports, breach disclosures, and customer security questionnaires. The cost when it goes wrong isn't a storage line item — it's incident response, regulatory penalties, mandatory notification, and reputational damage, any of which can be orders of magnitude larger than the entire cloud bill.

Finally, this category is a discipline signal. A bucket that over-grants cross-account administrative actions almost always got there by copy-pasting a template, using a * principal to save time, or never revisiting a grant after the project that needed it ended. Where you find one, you tend to find a pattern: sharing set up in a hurry and never reviewed. Cleaning up the finding is the small part; closing the gap that produced it is the durable win.

How do you remediate an S3.6 finding safely?

Remediation is a four-step loop: inventory which buckets grant the dangerous actions cross-account, confirm what the external party actually needs, rewrite to least privilege without breaking the integration, and add a guardrail so the gap doesn't reopen.

1. Inventory every bucket policy that grants a blacklisted action externally

Pull every bucket policy in the account and search each one for the five S3.6 actions — s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl — granted with Effect: Allow to a principal in another account or to *. Tag each hit with the data sensitivity of the bucket; that's what sets remediation priority. A * principal on any of these is the highest urgency regardless of contents, because it's open to the whole internet.

2. Confirm what the external party actually uses before changing anything

Don't strip permissions blind — check CloudTrail data events to see which actions the external account has actually called over the last 90 days. Most over-grants are leftovers from a template or an earlier phase of the integration and have never been invoked. Where an administrative action genuinely is in use (rare, but it happens with some backup or replication tooling), that's a conversation with the owner about whether a different, scoped mechanism fits better — not a silent removal.

3. Rewrite the statement to least privilege

Replace any * principal with the specific external account or, better, a specific role ARN. Remove every blacklisted administrative action from the cross-account statement, keeping only the data actions the integration needs (typically s3:GetObject, sometimes s3:PutObject). Scope the Resource to the exact prefix in use rather than the whole bucket. Apply the new policy and re-run the S3.6 finding to confirm it flips to PASSED.

4. Add a confused-deputy guard and a recurring check

For partner and service integrations, add an aws:SourceAccount or aws:SourceArn condition so the bucket can only be reached on behalf of the intended account, closing the confused-deputy gap. Then make S3.6 a standing item: leave the AWS Config rule enabled so any future policy change re-triggers the check, and route new High-severity findings into the security review with an SLA. The rewrite fixes today's finding; the guardrail and the cadence stop the next one.

# tightened-policy.json: external account keeps read-only, all admin actions removed,
# principal scoped to a role, and a confused-deputy guard added.
cat > tightened-policy.json <<'JSON'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PartnerExportReadOnly",
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::222233334444:role/acme-export-reader" },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::acme-partner-exports/exports/*",
      "Condition": { "StringEquals": { "aws:SourceAccount": "222233334444" } }
    }
  ]
}
JSON

aws s3api put-bucket-policy --bucket acme-partner-exports --policy file://tightened-policy.json

# Verify no blacklisted action survives in the cross-account grant.
aws s3api get-bucket-policy --bucket acme-partner-exports --query Policy --output text \
  | grep -E 's3:DeleteBucketPolicy|s3:PutBucketAcl|s3:PutBucketPolicy|s3:PutEncryptionConfiguration|s3:PutObjectAcl' \
  && echo 'STILL FAILING' || echo 'clean'

Quick quiz

Question 1 of 5

A bucket policy grants an external partner account s3:GetObject and s3:PutObjectAcl on your exports bucket. CloudTrail shows the partner has only ever called GetObject. What's the right remediation?

Keep learning

Dig deeper into S3 bucket policies, cross-account access patterns, and the control behind this finding.

You've completed Lock down S3 bucket policies that hand sensitive actions to other AWS accounts. You now know the five administrative actions Security Hub S3.6 forbids granting cross-account, why control of the bucket's posture is far more dangerous than read/write of its data, and the safe four-step loop — inventory, confirm usage, rewrite to least privilege, add a guardrail — that clears the finding without breaking a legitimate integration. The next time S3.6 fires, you'll have a defensible path from "flagged" to "PASSED" in under ten minutes.

Back to the library

Cross-account bucket policies: what it means for risk and cost

A sharing setting that can turn into a data-loss event

Amazon S3 is the storage service where most of an organization's cloud data lives — backups, exports, logs, customer files. A bucket can be configured to let a different AWS account, often a partner, vendor, or another part of the business, reach into it. That sharing is normal and useful. The problem this finding catches is when the sharing goes further than it should: the outside account is allowed not just to read or write files, but to change the bucket's own security settings.

Security Hub control S3.6 flags buckets whose sharing rules let an external account perform a short list of sensitive administrative actions — things like rewriting the access rules, changing how the data is encrypted, or making individual files publicly readable. In plain terms, it's the difference between giving a contractor a key to one room and giving them the ability to re-cut every key in the building. The cost exposure here isn't a monthly line item; it's the tail risk of a breach, a regulatory penalty, or an incident-response bill that dwarfs any storage saving.

From a financial-governance standpoint, this is a control that protects against low-probability, high-impact loss. The number to care about isn't dollars per month — it's how many buckets are in this state, whether any of them hold regulated or customer data, and how quickly the count is trending toward zero. A single flagged bucket holding sensitive data is a board-level risk; ten flagged buckets holding only public marketing assets is a cleanup task. The job of governance is to tell those two cases apart and make sure the first one never lingers.

This lesson is for the finance or governance partner who owns cloud risk reporting and needs to understand why an S3 sharing setting shows up as a High-severity finding. It explains what the control protects against in business terms, why it's a tail-risk control rather than a cost-savings one, how to judge which flagged buckets are genuinely serious, and the three governance levers — inventory-by-data-sensitivity, an exception process, and a remediation SLA — you can pull without touching a console. By the end you'll know what to ask for in the risk review and how to tell a real exposure from a noise finding.

Fun fact

The wildcard principal that opened the door to the planet

How a governance partner closes the loop

Maya owns cloud risk reporting and chairs the monthly security review. Security Hub has flagged a cluster of S3.6 findings, and rather than treat them as a uniform list, she asks the one question that sorts them: "Which of these buckets hold regulated or customer data, and which are sharing the dangerous actions versus just read access?" The security engineer maps it out — of eleven flagged buckets, two hold customer exports and grant an external account the ability to rewrite access rules; the other nine are internal log-shipping buckets sharing only read access in an unusual but low-risk way.

The conversation is about prioritization, not policy syntax. Maya doesn't ask which IAM actions are involved or how the conditions are written. She asks who owns each of the two serious buckets, who the external account belongs to, and whether the sharing was ever formally approved. It turns out one is a sanctioned partner integration that simply over-granted, and the other is a forgotten vendor proof-of-concept from a project that ended last year. The first gets a same-week fix; the second gets the external grant removed entirely, since nobody can justify it.

Maya records both in the risk register, sets a five-business-day remediation SLA for any future High-severity S3.6 finding on a data-bearing bucket, and stands up a lightweight exception process for the deliberate low-risk cases so they stop generating review noise. Two reviews later the count is stable and every remaining finding has a documented owner and reason. The dollar figure was never the point — the point was that no external account can reconfigure customer data without someone having signed off on exactly why.

Why this matters to risk, not the monthly bill

Unlike most cloud findings, this one has essentially no recurring dollar cost — tightening a bucket policy doesn't change the storage bill at all. Its entire financial significance is on the risk side of the ledger: it's a low-probability, high-severity exposure. The expected monetary impact is the probability of a data breach multiplied by the cost of one, and for a bucket holding customer or regulated data, the cost of one is large enough that even a small probability dominates any other number on the page.

That changes how it should be tracked. There's no "acceptable steady-state spend" to manage down here; the right metric is the count of flagged buckets weighted by data sensitivity, and the speed at which serious ones are remediated. A flagged bucket of public marketing images is a housekeeping item. A flagged bucket of customer PII that lets an external account rewrite its access rules is a material risk that belongs in the risk register and possibly in the next board risk update. Governance's job is to make sure those two never get treated the same way.

The third impact is contractual and regulatory. Many customer contracts and frameworks — SOC 2, ISO 27001, PCI DSS, and the NIST families this control maps to — require demonstrable least-privilege access to data. A standing population of S3.6 failures is evidence that the control isn't operating, which can surface in audits, delay deals that hinge on a security questionnaire, or trigger penalties if it's tied to data that's actually exposed. The cost of remediation is trivial; the cost of being unable to show the control works is not.

Finally, treat it as a leading indicator of sharing discipline. A rising count of cross-account findings usually means data-sharing is being set up ad hoc, without an approval step or a review cadence — the same gap that produces the next exposure. Watching the trend, and insisting that every external grant has a named owner and a documented reason, costs almost nothing and prevents the expensive version of this problem.

What governance can actually do about this

Governance can't rewrite a bucket policy, but it can set the conditions that keep the serious findings rare and short-lived. Three levers, used together at the risk-review cadence.

1. Triage by data sensitivity, not raw count

Insist the finding list is reported weighted by what the bucket holds, not as a flat number. A cross-account administrative grant on a bucket of customer or regulated data is a material risk; the same grant on a public-asset bucket is housekeeping. Reporting the two separately stops the serious one from hiding inside a long list and keeps attention where the real exposure is.

2. Require an approval and owner for every cross-account grant

Make deliberate external sharing a thing that gets recorded — who the external account is, what data it touches, who approved it, and why. A grant with no owner and no recorded reason is the default candidate for removal. This single rule converts "audit a pile of policies" into "reconcile a short approved list," and it's the cheapest thing you can do to keep the category small.

3. Set a remediation SLA tied to severity and data sensitivity

Agree a fixed clock — for example, five business days for any High-severity S3.6 finding on a data-bearing bucket — and report breaches of the SLA, not just the open count. The goal isn't zero findings forever; new sharing will always be set up. The goal is that the dangerous ones never sit unattended, and the SLA is what makes that measurable without anyone reading a policy.

4. Run a lightweight exception process for the genuine low-risk cases

Some cross-account sharing is deliberate, reviewed, and low-risk, yet still generates findings. Give those a documented, time-boxed exception with an owner and a review date, so they stop consuming review attention and the remaining open findings are all things that genuinely need action. An exception list with owners is governance working; a pile of unexplained suppressions is governance failing.

Quick quiz

Question 1 of 5

Security Hub shows eleven open S3.6 findings. Two are on buckets holding customer data and grant an external account administrative actions; nine are on internal log buckets sharing only read access. As the governance partner, what's the right next move?

Keep learning

Dig deeper into S3 bucket policies, cross-account access patterns, and the control behind this finding.

You've finished the governance partner's view of S3.6. You know this is a tail-risk control rather than a cost one, why flagged buckets must be triaged by data sensitivity, and what the three levers are — sensitivity-weighted reporting, approval-and-ownership for every external grant, and a remediation SLA with an exception process. Next time the finding shows up in the risk review, you'll have a sharper question than "can engineering just fix these?"

Back to the library

Cross-account bucket policies: the headline

When data sharing quietly becomes data control

Cloud storage buckets can be shared with other AWS accounts on purpose — that's how partners, vendors, and internal teams exchange data. This control catches the cases where that sharing accidentally goes too far: an outside account isn't just allowed to use the data, it's allowed to change the security rules around it. That's the configuration behind a meaningful share of real-world cloud data breaches.

This is a security-posture and accountability issue, not a cost line. Each flagged bucket is a question: do we actually mean for this external party to be able to reconfigure access to our data? The right outcome isn't "never share" — it's that every cross-account grant is deliberate, scoped to the minimum needed, and owned by someone who can explain why it exists.

A short read for the executive who wants to understand a recurring High-severity cloud finding and the one question to ask about it. You'll get the plain-language framing of what cross-account access means, why the specific actions on the list are dangerous, what this category signals about data-sharing discipline, and what "good" looks like at an org level — no policies to read, no commands to run.

Fun fact

The wildcard principal that opened the door to the planet

What it looks like when the org gets this right

At one company, the security review used to surface a recurring slide: "11 S3 buckets share access with external accounts, 2 of them with administrative permissions." Every quarter the number drifted, and the discussion devolved into engineers explaining IAM syntax to a room that didn't need it. The exec sponsor changed the question. Instead of "how many findings," she asked "which of these touch customer data, who approved the sharing, and how fast do the serious ones get fixed?"

Within two quarters the slide changed shape. It no longer listed raw finding counts; it showed that every cross-account grant on a data-bearing bucket was deliberate, owned, and documented, and that any new High-severity finding was resolved within a week. The forgotten vendor integrations were gone, the legitimate partner shares were scoped down to read-only, and the noise findings had an exception process so they stopped consuming review time.

That's the right outcome state. The goal was never "zero cross-account sharing" — sharing is how the business runs. The goal was that every external grant is intentional and accountable, and that the dangerous ones can't sit unattended. The finding list stopped being an argument and became a confidence signal.

Why this is on the risk report at all

The reason this finding is tracked isn't its cost — it's near zero — but its potential consequence. It represents the specific configuration that lets an outside party gain control over how your data is accessed, which is the mechanism behind a meaningful share of public cloud data breaches. A single such finding on a bucket holding sensitive data is the kind of thing that turns into a disclosure, a regulatory penalty, and a headline; the cost of that event dwarfs anything in the cloud bill.

There's a second-order signal too. A growing or stale population of these findings means data is being shared across organizational boundaries without a deliberate approval and review step. That same absence of discipline tends to produce the next exposure, whether or not it shows up as this exact finding. So the category sits at the intersection of data protection, regulatory compliance, and operational governance — which is why it belongs on the risk report even though it never appears on the cost report.

The leadership move on this category

The actionable handle for an executive isn't to chase the finding count — it's to set the norms that make a serious version of this finding impossible to ignore.

1. Insist every external data grant is deliberate and owned

Sharing data with partners and vendors is normal; sharing it by accident or leaving an old grant in place is the risk. Require that every cross-account access to data has a named owner and a recorded business reason. Unexplained external access is the default thing to remove, and that single norm prevents most of this category.

2. Demand fast remediation for findings on sensitive data

The severity of an S3.6 finding depends almost entirely on what the bucket holds. Set the expectation that any such finding on customer or regulated data is fixed in days, not quarters, and that the fix time is reported. This converts a technical finding list into a single accountability metric leadership can track.

3. Treat the trend as a security-posture signal

Ask for the direction, not the detail: "Is the count of cross-account findings on sensitive data flat or growing, and how fast are we closing them?" A flat, fast-closing number means data-sharing discipline is working. A growing or slow-closing one is an early warning that the next exposure is being set up right now — and that's the moment to push, not after an incident.

Quick quiz

Question 1 of 5

You're reviewing the security pack. The count of cross-account S3 findings on sensitive-data buckets has been flat for three quarters, each one closed within a week, and every external grant has a named owner. What's the right read?

Keep learning

Dig deeper into S3 bucket policies, cross-account access patterns, and the control behind this finding.

That's the lesson. Two takeaways worth holding onto: cross-account sharing turning into cross-account control is the mechanism behind real cloud breaches, and the severity of any one finding depends on what the bucket holds. The leadership question is about deliberate ownership and fast remediation on sensitive data — not about the raw finding count.

Back to the library

Lock down S3 bucket policies that hand sensitive actions to other AWS accounts

Cross-account bucket policies: the basics

The wildcard principal that opened the door to the planet

Tightening a cross-account bucket policy in action

S3.6 under the hooddeep dive

What is the impact of cross-account access to sensitive bucket actions?

How do you remediate an S3.6 finding safely?

1. Inventory every bucket policy that grants a blacklisted action externally

2. Confirm what the external party actually uses before changing anything

3. Rewrite the statement to least privilege

4. Add a confused-deputy guard and a recurring check

Quick quiz

Keep learning

Cross-account bucket policies: what it means for risk and cost

The wildcard principal that opened the door to the planet

How a governance partner closes the loop

Why this matters to risk, not the monthly bill

What governance can actually do about this

1. Triage by data sensitivity, not raw count

2. Require an approval and owner for every cross-account grant

3. Set a remediation SLA tied to severity and data sensitivity

4. Run a lightweight exception process for the genuine low-risk cases

Quick quiz

Keep learning

Cross-account bucket policies: the headline

The wildcard principal that opened the door to the planet

What it looks like when the org gets this right

Why this is on the risk report at all

The leadership move on this category

1. Insist every external data grant is deliberate and owned

2. Demand fast remediation for findings on sensitive data

3. Treat the trend as a security-posture signal

Quick quiz

Keep learning

Related compliance lessons