aws-s3-public-access

Ensure the S3 bucket does not allow Read or Write permissions to anyone on the Internet

AWS provides predefined permission sets called Canned ACLs.

If the bucket is intended to be publicly readable (when used to host static content or documents for a public web site, for example) then the canned ACL public-read is correct.

If the bucket contains any sensitive or private data, then the canned ACL should be restricted to private.

If the canned ACLs don't provide the specific permissions needed then a more complex S3 IAM policy may be required.

Examples

Insecure Example

Terraform

resource "aws_s3_bucket" "mybucket" {
    bucket  =  "mybucket"
    acl     =  "public-read"
}

CloudFormation

"Resources": {
    "S3Bucket": {
        "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Retain",
        "Properties": {
            "BucketName": "DOC-EXAMPLE-BUCKET",
            "AccessControl": "PublicRead"
        }
    }
}

Secure Example

Terraform

resource "aws_s3_bucket" "mybucket" {
    bucket  =  "mybucket"
    acl     =  "private"
}

CloudFormation

"Resources": {
    "S3Bucket": {
        "Type": "AWS::S3::Bucket",
        "DeletionPolicy": "Retain",
        "Properties": {
            "BucketName": "DOC-EXAMPLE-BUCKET",
            "AccessControl": "Private"
        }
    }
}

More Information

• AWS Docs for S3 Public Access
• AWS Docs for S3 Canned ACL's
• AWS Docs for S3 Access Control with IAM