S3 bucket has block public ACLs disabled

ID

s3_bucket_public_access_block

Severity

high

Vendor

AWS

Resource

S3

Tags

reachable

Description

S3 buckets and stored objects in AWS are private by default, but users have the option to use Access Control Lists (ACLs) and bucket policies to grant additional access to external AWS accounts, including anonymous public access.

To limit centrally against future attempts, AWS allows blocking public access to S3. Administrators and bucket owners can set up centralized controls to limit public access, that are enforced regardless of how the resources are created.

This policy checks if S3 buckets have the BlockPublicAcls and BlockPublicPolicy enabled.

Examples

CloudFormation

{
  "Resources": {
    "S3Bucket": { (1)
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "example"
      }
    }
  }
}
1 Missing BlockPublicAcls and BlockPublicPolicy means block public policy and public ACLS are not enabled. 
Resources:
  S3Bucket: (1)
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: 'example'
1 Missing BlockPublicAcls and BlockPublicPolicy means block public policy and public ACLS are not enabled.

Terraform

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my_bucket"
}

Without explicit settings, my_bucket has block public ACLs disabled, and a flaw will be reported.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "S3Bucket": { (1)
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "example",
        "PublicAccessBlockConfiguration": {
          "BlockPublicAcls": true,
          "BlockPublicPolicy": true,
          "IgnorePublicAcls": true,
          "RestrictPublicBuckets": false
        }
      }
    }
  }
}
1 BlockPublicAcls and BlockPublicPolicy set to true means block public policy and public ACLS are enabled. 
Resources:
  S3Bucket: (1)
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: 'example'
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: false
1 BlockPublicAcls and BlockPublicPolicy set to true means block public policy and public ACLS are enabled.

Terraform

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my_bucket"
}

resource "aws_s3_bucket_public_access_block" "non_public" {
  bucket = aws_s3_bucket.my_bucket.id

  block_public_acls   = true (1)
  block_public_policy = true (2)
}
1 Amazon S3 should block public ACLs for the bucket:
2 Amazon S3 should block public bucket policies for this bucket.

With these settings, PUT Bucket acl and PUT Object acl calls will fail if the specified ACL allows public access; PUT Object calls will fail if the request includes an object ACL; and calls to PUT Bucket policy will be rejected if the specified bucket policy allows public access.

In this example, the public access block affects to the specified bucket; when applied to an account, it would apply to the all buckets and access points owned by that account.