Skip to content

tfsec

S3 Access block should block public ACL

aquasecurity/tfsec

S3 Access block should block public ACL

Default Severity: high

Explanation

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

Possible Impact

PUT calls with public ACLs specified can make objects public

Suggested Resolution

Enable blocking any PUT calls with a public ACL specified

Insecure Example

The following example will fail the aws-s3-block-public-acls check.

resource "aws_s3_bucket" "bad_example" {
  bucket = "mybucket"
}

resource "aws_s3_bucket_public_access_block" "bad_example" {
  bucket = aws_s3_bucket.bad_example.id
}

Secure Example

The following example will pass the aws-s3-block-public-acls check.

resource "aws_s3_bucket" "good_example" {
  bucket = "mybucket"
}

resource "aws_s3_bucket_public_access_block" "good_example" {
  bucket = aws_s3_bucket.good_example.id
  block_public_acls = true
}

Links