By default S3 buckets are private, it means that only the bucket owner can access it.
This access control can be relaxed with ACLs or policies.
To prevent permissive policies to be set on a S3 bucket the following settings can be configured:
BlockPublicAcls: to block or not public ACLs to be set to the S3 bucket. IgnorePublicAcls: to consider or not existing public ACLs set to the S3 bucket. BlockPublicPolicy: to block or not public policies to be set to the S3 bucket. RestrictPublicBuckets: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket
owner account. There is a risk if you answered yes to any of those questions.
It’s recommended to configure:
BlockPublicAcls to true to block new attempts to set public ACLs. IgnorePublicAcls to true to block existing public ACLs. BlockPublicPolicy to true to block new attempts to set public policies. RestrictPublicBuckets to true to restrict existing public policies. By default, when not set, the PublicAccessBlockConfiguration is fully deactivated (nothing is blocked):
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucketdefault:
Type: 'AWS::S3::Bucket' # Sensitive
Properties:
BucketName: "mynoncompliantbucket"
This PublicAccessBlockConfiguration allows public ACL to be set:
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Sensitive
Properties:
BucketName: "mynoncompliantbucket"
PublicAccessBlockConfiguration:
BlockPublicAcls: false # should be true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
This PublicAccessBlockConfiguration blocks public ACLs and policies, ignores existing public ACLs and restricts existing public
policies:
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
BucketName: "mycompliantbucket"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true