Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00195
- credit Snyk Research Team
Description
AWS's S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings are enabled by default to help prevent the risk of a data breach.
How to fix?
By default, AWS blocks all public access to an S3 bucket. This default setting is considered secure.
This default setting can also be explicitly configured by creating an aws_s3_bucket_public_access_block resource for each bucket, or configuring an aws_s3_account_public_access_block to enable block public access settings at the account level.
To enable block public access settings at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_aclsblock_public_policyignore_public_aclsrestrict_public_buckets
To enable block public access settings at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_aclsblock_public_policyignore_public_aclsrestrict_public_buckets
Example Configuration
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = aws_s3_bucket.private.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}