Amazon S3 provides four independent Public Access Block settings to prevent public access from being granted to a bucket through ACLs or bucket policies. This rule flags S3 bucket configurations where any of these settings is set to false.

Why is this an issue?

Amazon S3 buckets are private by default, but their access control can be relaxed using ACLs or bucket policies that allow public access. Although AWS enables all four Public Access Block settings by default, infrastructure code can inadvertently re-expose a bucket by setting any of them to false.

What is the potential impact?

If public access is not fully blocked on an S3 bucket that contains sensitive data, any unauthenticated user on the internet can read, download, or exfiltrate that data. This can lead to data breaches, compliance violations, and reputational damage to the organization.

How to fix it

Code examples

A PublicAccessBlockConfiguration block that does not define all four attributes leaves the missing ones defaulting to false:

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ExampleBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "example"
      PublicAccessBlockConfiguration: # Noncompliant
        BlockPublicAcls: true

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ExampleBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "example"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Explicitly setting any attribute to false also disables the corresponding protection:

Noncompliant code example

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ExampleBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "example"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: false # Noncompliant
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Compliant solution

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ExampleBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: "example"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

How does this work?

The PublicAccessBlockConfiguration property controls public access to an S3 bucket through four independent settings:

• BlockPublicAcls: blocks new public ACLs from being set on the bucket.
• IgnorePublicAcls: causes existing public ACLs on the bucket to be ignored.
• BlockPublicPolicy: blocks new public bucket policies from being set.
• RestrictPublicBuckets: restricts access to the bucket to principals within the bucket owner account when a public policy is in effect.

When PublicAccessBlockConfiguration is omitted entirely, AWS defaults all four settings to true. However, when the block is present but does not define all four attributes, any missing attribute defaults to false. All four settings must be explicitly set to true to fully prevent public access to the bucket.

Resources

Documentation

• AWS Documentation - Blocking public access to your Amazon S3 storage

Standards

• CWE - CWE-284 - Improper Access Control
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.