Links

AWS S3 Bucket Policy Does Not Use Allow With Not Principal

Risk
Remediation Effort
High
Medium
This policy validates that no S3 buckets have a policy that uses an Effect:Allow with a NotPrincipal. A configuration like this allows global access to that object with the specified actions to all entities except the specified NotPrincipal. It is very rare to need to use a NotPrincipal, and using a NotPrincipal with an Effect:Allow is almost always an incorrect configuration.
Remediation
To remediate this, remove the grant that is using a NotPrincipal with an Effect:Allow, either by removing the grant entirely or re-writing it correctly.
Reference