Skip to content

S3 Access block should restrict public bucket to limit access

Default Severity: high

Explanation

S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

Possible Impact

Public buckets can be accessed by anyone

Suggested Resolution

Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

Insecure Example

The following example will fail the aws-s3-no-public-buckets check.

resource "aws_s3_bucket" "example" {
    bucket = "bucket"
}

 resource "aws_s3_bucket_public_access_block" "bad_example" {
    bucket = aws_s3_bucket.example.id
 }

 resource "aws_s3_bucket_public_access_block" "bad_example" {
    bucket = aws_s3_bucket.example.id

    restrict_public_buckets = false
 }

Secure Example

The following example will pass the aws-s3-no-public-buckets check.

resource "aws_s3_bucket" "example" {
    bucket = "bucket"
}

resource "aws_s3_bucket_public_access_block" "good_example" {
    bucket = aws_s3_bucket.example.id

    restrict_public_buckets = true
 }