S3 bucket has `restrict_public_buckets` disabled Affecting S3 service in AWS


Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    General / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-AWS CIS-Controls CSA-CCM
  • Snyk ID SNYK-CC-00266
  • credit Snyk Research Team

Description

If a public policy is attached to a bucket and restrict_public_buckets is disabled, anyone will be able to read and/or write to the bucket.

How to fix?

Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block restrict_public_buckets field to true.

To enable block public access settings at the bucket level:

To enable block public access settings at the account level:

Example Configuration

# Enable for a single bucket
resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = "${aws_s3_bucket.private.id}"
  restrict_public_buckets     = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
  restrict_public_buckets     = true
}