By default S3 buckets are private, it means that only the bucket owner can access it.

This access control can be relaxed with ACLs or policies.

To prevent permissive policies to be set on a S3 bucket the following settings can be configured:

• BlockPublicAcls: to block or not public ACLs to be set to the S3 bucket.
• IgnorePublicAcls: to consider or not existing public ACLs set to the S3 bucket.
• BlockPublicPolicy: to block or not public policies to be set to the S3 bucket.
• RestrictPublicBuckets: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket owner account.

Ask Yourself Whether

• The S3 bucket stores sensitive data.
• The S3 bucket is not used to store static resources of websites (images, css …​).
• Many users have the permission to set ACL or policy to the S3 bucket.
• These settings are not already enforced to true at the account level.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to configure:

• BlockPublicAcls to true to block new attempts to set public ACLs.
• IgnorePublicAcls to true to block existing public ACLs.
• BlockPublicPolicy to true to block new attempts to set public policies.
• RestrictPublicBuckets to true to restrict existing public policies.

Sensitive Code Example

By default, when not set, the aws_s3_bucket_public_access_block is fully deactivated (nothing is blocked):

resource "aws_s3_bucket" "mynoncompliantfirstbucket" { # sensitive: by default it's unsafe
  bucket = "mynoncompliantfirstbucketname"
}

This aws_s3_bucket_public_access_block allows public ACL to be set:

resource "aws_s3_bucket" "mynoncompliantsecondbucket" {  # sensitive (s6281)
  bucket = "mynoncompliantsecondbucketname"
}

resource "aws_s3_bucket_public_access_block" "mynoncompliantspublicaccess" {
  bucket = aws_s3_bucket.mynoncompliantsecondbucket.id

  block_public_acls       = false # should be true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Compliant Solution

This aws_s3_bucket_public_access_block blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

resource "aws_s3_bucket" "mycompliantbucket" {
  bucket = "mycompliantbucketname"
}

resource "aws_s3_bucket_public_access_block" "mycompliantpublicaccess" {
  bucket = aws_s3_bucket.mycompliantbucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

See

• OWASP Top 10 2021 Category A1 - Broken Access Control
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• AWS Documentation - Blocking public access to your Amazon S3 storage
• MITRE, CWE-284 - Improper Access Control
• OWASP Top 10 2017 Category A5 - Broken Access Control