CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00195
- creditSnyk Research Team
Description
AWS's S3 Block Public Access feature has four settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. All four settings are enabled by default to help prevent the risk of a data breach.
How to fix?
By default, AWS blocks all public access to an S3 bucket. This default setting is considered secure.
This default setting can also be explicitly configured by creating an aws_s3_bucket_public_access_block resource for each bucket, or configuring an aws_s3_account_public_access_block to enable block public access settings at the account level.
To enable block public access settings at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_aclsblock_public_policyignore_public_aclsrestrict_public_buckets
To enable block public access settings at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_aclsblock_public_policyignore_public_aclsrestrict_public_buckets
Example Configuration
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = aws_s3_bucket.private.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
By default, AWS blocks all public access to an S3 bucket. This default setting is considered secure.
This default setting can also be explicitly configured by creating PublicAccessBlockConfiguration resource for the AWS::S3::Bucket.
Block public access settings currently cannot be enabled at the account level in CloudFormation. Enable these settings for each bucket instead.
Example Configuration
JSON example configuration:
{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : "Example-Bucket-Name",
"PublicAccessBlockConfiguration" : {
"BlockPublicAcls" : true,
"BlockPublicPolicy" : true,
"IgnorePublicAcls" : true,
"RestrictPublicBuckets" : true
}
}
# other required fields here
}
YAML example configuration:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: Example-Bucket-Name
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
# other required fields here