HIGH
Source
Trivy
ID
AVD-AWS-0087

S3 Access block should block public policy

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

Impact

Users could put a policy that allows public access

Follow the appropriate remediation steps below to resolve the issue.

Prevent policies that allow public access being PUT

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
    Type: AWS::S3::Bucket

Prevent policies that allow public access being PUT

1
2
3
4
5
6
7
8
resource "aws_s3_bucket" "example" {
  bucket = "mybucket"
}

resource "aws_s3_bucket_public_access_block" "good_example" {
  bucket = aws_s3_bucket.example.id
  block_public_policy = true
}