HIGH
Source
Trivy
ID
AVD-AWS-0087

S3 Access block should block public policy

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Prevent policies that allow public access being PUT

1
2
3
4
5
6
7
8
9
Resources:
  GoodExample:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Prevent policies that allow public access being PUT

1
2
3
4
5
6
7
8
resource "aws_s3_bucket" "example" {
  bucket = "mybucket"
}

resource "aws_s3_bucket_public_access_block" "good_example" {
  bucket              = aws_s3_bucket.example.id
  block_public_policy = true
}