HIGH
Source
Trivy
ID
AVD-AWS-0091

S3 Access Block should Ignore Public Acl

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

Impact

PUT calls with public ACLs specified can make objects public

Follow the appropriate remediation steps below to resolve the issue.

Enable ignoring the application of public ACLs in PUT calls

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
    Type: AWS::S3::Bucket

Enable ignoring the application of public ACLs in PUT calls

1
2
3
4
5
resource "aws_s3_bucket_public_access_block" "good_example" {
  bucket = aws_s3_bucket.example.id
  
  ignore_public_acls = true
}