Homepage

S3 bucket does not have `ignore_public_acls` enabled Affecting S3 service in AWS

Severity

0.0
high
0
10
Severity Framework
Snyk CCSS
Rule category
General/ Access

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-AWSCIS-ControlsCSA-CCM
  • Snyk IDSNYK-CC-00280
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

If a public ACL is attached to the bucket, anyone will be able to read and/or write to the bucket.

How to fix?

Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block ignore_public_acls field to true.

To enable block public access settings at the bucket level:

To enable block public access settings at the account level:

Example Configuration

# Enable for a single bucket
resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = "${aws_s3_bucket.private.id}"
  ignore_public_acls     = true
}

# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
  ignore_public_acls     = true
}