Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00191
- credit Snyk Research Team
Description
Anyone who can manage the bucket's ACLs will be able to grant public access to the bucket.
How to fix?
Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block block_public_acls field to true or use the default settings.
To enable block public access settings explicitly at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_acls
To enable block public access settings explicitly at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_acls
Example Configuration
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = "${aws_s3_bucket.private.id}"
block_public_acls = true
}
resource "aws_s3_bucket_ownership_controls" "private" {
bucket = "${aws_s3_bucket.private.id}"
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_acl" "private" {
depends_on = [aws_s3_bucket_ownership_controls.private]
bucket = "${aws_s3_bucket.private.id}"
acl = "private"
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
}