CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsIf a public policy is attached to a bucket and restrict_public_buckets
is disabled, anyone will be able to read and/or write to the bucket.
Set the aws_s3_bucket_public_access_block
or aws_s3_account_public_access_block
restrict_public_buckets
field to true
.
To enable block public access settings at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block bucket
field and that all of the following aws_s3_bucket_public_access_block fields are set to true
:
restrict_public_buckets
To enable block public access settings at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to true
:
restrict_public_buckets
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = "${aws_s3_bucket.private.id}"
restrict_public_buckets = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
restrict_public_buckets = true
}
Configure a PublicAccessBlockConfiguration
for the AWS::S3::Bucket
.
Block public access settings currently cannot be enabled at the account level in CloudFormation. Enable these settings for each bucket instead.
JSON example configuration:
{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : "Example-Bucket-Name",
"PublicAccessBlockConfiguration" : {
"RestrictPublicBuckets" : true
}
}
# other required fields here
}
YAML example configuration:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: Example-Bucket-Name
PublicAccessBlockConfiguration:
RestrictPublicBuckets: true
# other required fields here