CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00191
- creditSnyk Research Team
Description
Anyone who can manage the bucket's ACLs will be able to grant public access to the bucket.
How to fix?
Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block block_public_acls field to true or use the default settings.
To enable block public access settings explicitly at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_acls
To enable block public access settings explicitly at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_acls
Example Configuration
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = "${aws_s3_bucket.private.id}"
block_public_acls = true
}
resource "aws_s3_bucket_ownership_controls" "private" {
bucket = "${aws_s3_bucket.private.id}"
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_acl" "private" {
depends_on = [aws_s3_bucket_ownership_controls.private]
bucket = "${aws_s3_bucket.private.id}"
acl = "private"
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
}
Configure a PublicAccessBlockConfiguration for the AWS::S3::Bucket or use the default settings.
Block public access settings currently cannot be explicitly enabled at the account level in CloudFormation. Enable these settings for each bucket instead.
Example Configuration
JSON example configuration:
{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"PublicAccessBlockConfiguration" : {
"BlockPublicAcls" : true,
"BlockPublicPolicy" : true,
"IgnorePublicAcls" : true,
"RestrictPublicBuckets" : true
}
}
# other required fields here
}
YAML example configuration:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls : true
RestrictPublicBuckets : true
# other required fields here