Specify Public Access Block | Vulnerability Database

S3 buckets should each define an aws_s3_bucket_public_access_block

The “block public access” settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


Resources:
  GoodExample:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


resource "aws_s3_bucket" "example" {
  bucket = "example"
  acl    = "private-read"
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket              = aws_s3_bucket.example.id
  block_public_acls   = true
  block_public_policy = true
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket