Ensure S3 bucket IgnorePublicAcls is set to True

Error: S3 bucket IgnorePublicAcls is not set to True

Bridgecrew Policy ID: BC_AWS_S3_21
Checkov Check ID: CKV_AWS_55
Severity: MEDIUM

S3 bucket IgnorePublicAcls is not set to True

Description

The IgnorePublicAcls setting causes S3 to ignore all public ACLs on a bucket and any objects that it contains. Enabling this setting does not affect the persistence of any existing ACLs and does not prevent new public ACLs from being set.

This setting will block public access granted by ACLs while still allowing PUT Object calls that include a public ACL.

Fix - Buildtime

Terraform

  • Resource: aws_s3_bucket_public_access_block
  • Argument: ignore_public_acls
resource "aws_s3_bucket_public_access_block" "artifacts" {
  ...
  restrict_public_buckets = true
+ ignore_public_acls=true
}

CloudFormation

  • Resource: AWS::S3::Bucket
  • Argument: Properties.PublicAccessBlockConfiguration.IgnorePublicAcls
Type: 'AWS::S3::Bucket'
	Properties:
	...
	PublicAccessBlockConfiguration:
		...
+		IgnorePublicAcls: true