S3 bucket has `block_public_policy` disabled Affecting S3 service in AWS

Snyk CCSS

General / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00325
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Anyone who can manage the bucket's policies will be able to grant public access to the bucket.

How to fix?

Set the aws_s3_bucket_public_access_block or aws_s3_account_public_access_block block_public_policy field to true or remove them entirely.

To enable block public access settings at the bucket level:

Ensure that the aws_s3_bucket is referenced in an aws_s3_bucket_public_access_block bucket field and that all of the following aws_s3_bucket_public_access_block fields are set to true:
- block_public_policy

To enable block public access settings at the account level:

Ensure that all of the following aws_s3_account_public_access_block fields are set to true:
- block_public_policy

Example Configuration

# Enable for a single bucket
resource "aws_s3_bucket" "private" {
  acl           = "private"
  # other required fields here
}

resource "aws_s3_bucket_public_access_block" "private" {
  bucket                  = "${aws_s3_bucket.private.id}"
  block_public_policy     = true
}

# Enable for an entire AWS account
resource "aws_s3_account_public_access_block" "main" {
  block_public_policy     = true
}

S3 bucket has `block_public_policy` disabled Affecting S3 service in AWS

Severity

Description

How to fix?

Example Configuration

CloudFormation

Terraform