Skip to content

no-public-access-with-acl

Explanation

S3 bucket permissions should be set to deny public access unless explicitly required.

Granting write access publicly with public-read-write is especially dangerous as you will be billed for any uploaded files.

Additionally, you should not use the authenticated-read canned ACL, as this provides read access to any authenticated AWS user, not just AWS users within your organisation.

Possible Impact

The contents of the bucket can be accessed publicly

Suggested Resolution

Apply a more restrictive bucket ACL

Insecure Example

The following example will fail the aws-s3-no-public-access-with-acl check.

resource "aws_s3_bucket" "bad_example" {
    acl = "public-read"
}

Secure Example

The following example will pass the aws-s3-no-public-access-with-acl check.

resource "aws_s3_bucket" "good_example" {
    acl = "private"
}