CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00325
- creditSnyk Research Team
Description
Anyone who can manage the bucket's policies will be able to grant public access to the bucket.
How to fix?
Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block block_public_policy field to true or remove them entirely.
To enable block public access settings at the bucket level:
Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block
bucketfield and that all of the following aws_s3_bucket_public_access_block fields are set totrue:block_public_policy
To enable block public access settings at the account level:
Ensure that all of the following aws_s3_account_public_access_block fields are set to
true:block_public_policy
Example Configuration
# Enable for a single bucket
resource "aws_s3_bucket" "private" {
acl = "private"
# other required fields here
}
resource "aws_s3_bucket_public_access_block" "private" {
bucket = "${aws_s3_bucket.private.id}"
block_public_policy = true
}
# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
block_public_policy = true
}
Set the BlockPublicPolicy setting at the bucket level to true, or remove it entirely.
Block public access settings currently cannot be enabled at the account level in CloudFormation. Enable these settings for each bucket instead.
Example Configuration
JSON example configuration:
{
"Type": "AWS::S3::Bucket",
"Properties":
{
"BucketName": "Example-Bucket-Name",
"PublicAccessBlockConfiguration":
{
"BlockPublicPolicy": true
}
}
# other required fields here
}
YAML example configuration:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: Example-Bucket-Name
PublicAccessBlockConfiguration:
BlockPublicPolicy: true
# other required fields here