S3 bucket does not have all block public access options enabled Affecting S3 service in AWS


0.0
medium
    Severity Framework Snyk CCSS
    Rule category Data / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-AWS CSA-CCM ISO-27001 SOC-2
  • Snyk ID SNYK-CC-00195
  • credit Snyk Research Team

Description

AWS's S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings are enabled by default to help prevent the risk of a data breach.

How to fix?

By default, AWS blocks all public access to an S3 bucket. This default setting is considered secure.

This default setting can also be explicitly configured by creating an aws_s3_bucket_public_access_block resource for each bucket, or configuring an aws_s3_account_public_access_block to enable block public access settings at the account level.

To enable block public access settings at the bucket level:

To enable block public access settings at the account level:

  • Ensure that all of the following aws_s3_account_public_access_block fields are set to true:

    • block_public_acls
    • block_public_policy
    • ignore_public_acls
    • restrict_public_buckets

Example Configuration

# Enable for a single bucket
resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = aws_s3_bucket.private.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}