CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00191
- creditSnyk Research Team
Description
Anyone who can manage the bucket's ACLs will be able to grant public access to the bucket.
How to fix?
Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block block_public_acls field to true or use the default settings.
To enable block public access settings explicitly at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_acls
To enable block public access settings explicitly at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_acls
Example configuration:
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = "${aws_s3_bucket.private.id}"
block_public_acls = true
}
resource "aws_s3_bucket_ownership_controls" "private" {
bucket = "${aws_s3_bucket.private.id}"
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_acl" "private" {
depends_on = [aws_s3_bucket_ownership_controls.private]
bucket = "${aws_s3_bucket.private.id}"
acl = "private"
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
}
Configure a PublicAccessBlockConfiguration for the AWS::S3::Bucket or use the default settings.
Block public access settings currently cannot be explicitly enabled at the account level in CloudFormation. Enable these settings for each bucket instead.
Example configuration:
JSON example configuration:
{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"PublicAccessBlockConfiguration" : {
"BlockPublicAcls" : true,
"BlockPublicPolicy" : true,
"IgnorePublicAcls" : true,
"RestrictPublicBuckets" : true
}
}
# other required fields here
}
YAML example configuration:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls : true
RestrictPublicBuckets : true
# other required fields here