Amazon S3 provides four independent Public Access Block settings to prevent public access from being granted to a bucket through ACLs or bucket policies. This rule flags S3 bucket configurations where any of these settings is set to false.

Why is this an issue?

Amazon S3 buckets are private by default, but their access control can be relaxed using ACLs or bucket policies that allow public access. Although AWS enables all four Public Access Block settings by default, infrastructure code can inadvertently re-expose a bucket by setting any of them to false.

What is the potential impact?

If public access is not fully blocked on an S3 bucket that contains sensitive data, any unauthenticated user on the internet can read, download, or exfiltrate that data. This can lead to data breaches, compliance violations, and reputational damage to the organization.

How to fix it

Code examples

An aws_s3_bucket_public_access_block resource that does not define all four attributes leaves the missing ones defaulting to false:

Noncompliant code example

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_public_access_block" "example" { # Noncompliant
  bucket = aws_s3_bucket.example.id

  block_public_acls = true
}

Compliant solution

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Explicitly setting any attribute to false also disables the corresponding protection:

Noncompliant code example

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = false # Noncompliant
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Compliant solution

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

How does this work?

The aws_s3_bucket_public_access_block resource controls public access to an S3 bucket through four independent settings:

• block_public_acls: blocks new public ACLs from being set on the bucket.
• ignore_public_acls: causes existing public ACLs on the bucket to be ignored.
• block_public_policy: blocks new public bucket policies from being set.
• restrict_public_buckets: restricts access to the bucket to principals within the bucket owner account when a public policy is in effect.

When no aws_s3_bucket_public_access_block resource is defined for a bucket, AWS defaults all four settings to true. However, when the resource is defined but does not include all four attributes, any missing attribute defaults to false. All four settings must be explicitly defined and set to true to fully prevent public access to the bucket.

Resources

Documentation

• AWS Documentation - Blocking public access to your Amazon S3 storage

Standards

• CWE - CWE-284 - Improper Access Control
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.