acl-no-public-read

Explanation

Space bucket and bucket object permissions should be set to deny public access unless explicitly required.

Possible Impact

The contents of the space can be accessed publicly

Suggested Resolution

Apply a more restrictive ACL

Insecure Example

The following example will fail the digitalocean-spaces-acl-no-public-read check.

resource "digitalocean_spaces_bucket" "bad_example" {
  name   = "public_space"
  region = "nyc3"
  acl    = "public-read"
}

resource "digitalocean_spaces_bucket_object" "index" {
  region       = digitalocean_spaces_bucket.bad_example.region
  bucket       = digitalocean_spaces_bucket.bad_example.name
  key          = "index.html"
  content      = "<html><body><p>This page is empty.</p></body></html>"
  content_type = "text/html"
  acl          = "public-read"
}

Secure Example

The following example will pass the digitalocean-spaces-acl-no-public-read check.

resource "digitalocean_spaces_bucket" "good_example" {
  name   = "private_space"
  region = "nyc3"
  acl    = "private"
}

resource "digitalocean_spaces_bucket_object" "index" {
  region       = digitalocean_spaces_bucket.good_example.region
  bucket       = digitalocean_spaces_bucket.good_example.name
  key          = "index.html"
  content      = "<html><body><p>This page is empty.</p></body></html>"
  content_type = "text/html"
}

Related Links

• https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#acl

• https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket_object#acl

• https://docs.digitalocean.com/reference/api/spaces-api/#access-control-lists-acls