aws-s3-public-access¶
Ensure the S3 bucket does not allow Read or Write permissions to anyone on the Internet
AWS provides predefined permission sets called Canned ACLs.
If the bucket is intended to be publicly readable (when used to host static content or documents for a public web site, for example) then the canned ACL public-read
is correct.
If the bucket contains any sensitive or private data, then the canned ACL should be restricted to private
.
If the canned ACLs don't provide the specific permissions needed then a more complex S3 IAM policy may be required.
Examples¶
Insecure Example
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
acl = "public-read"
}
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "DOC-EXAMPLE-BUCKET",
"AccessControl": "PublicRead"
}
}
}
Secure Example
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
acl = "private"
}
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "DOC-EXAMPLE-BUCKET",
"AccessControl": "Private"
}
}
}