HIGH
Source
Trivy/CSPM
CSPM ID
s3-bucket-all-users-acl
ID
AVD-AWS-0086

S3 Access block should block public ACL

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

Impact

PUT calls with public ACLs specified can make objects public

Follow the appropriate remediation steps below to resolve the issue.

Enable blocking any PUT calls with a public ACL specified

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
    Type: AWS::S3::Bucket

Follow the appropriate remediation steps below to resolve the issue.

    <button
      data-tab-item="Management Console"
      data-tab-group="remediation"
      class="tab-nav-button btn active"
      onclick="switchTab('remediation','Management Console')"
     >Management Console</button>

</div>
<div class="tab-content">
    
    <div data-tab-item="Management Console" data-tab-group="remediation" class="tab-item active">
        <ol>
    </div>
    
</div>

Enable blocking any PUT calls with a public ACL specified

1
2
3
4
5
6
7
8
resource "aws_s3_bucket" "good_example" {
  bucket = "mybucket"
}

resource "aws_s3_bucket_public_access_block" "good_example" {
  bucket = aws_s3_bucket.good_example.id
  block_public_acls = true
}