S3 Public ACLs Allowed

If a S3 bucket does not block public policy, users are able to add a policy that enables public access. This will expose the S3 bucket to the public.

Remediation

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Reference: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#example-usage

Metadata

Severity: high
Slug: s3-public-acls-allowed

OWASP

A05:2021: Security Misconfiguration

Available Labs

Open Aws labs in SecDim Play for this vulnerability.

easy

S3.aws

Other Easy AWS Terraform

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.