Ensure S3 bucket RestrictPublicBucket is set to True

Error: S3 bucket RestrictPublicBucket is not set to True

Bridgecrew Policy ID: BC_AWS_S3_22
Checkov Check ID: CKV_AWS_56
Severity: MEDIUM

S3 bucket RestrictPublicBucket is not set to True

Description

The S3 Block Public Access configuration enables specifying whether S3 should restrict public bucket policies for buckets in this account. Setting RestrictPublicBucket to TRUE restricts access to buckets with public policies to only AWS services and authorized users within this account.

Enabling this setting does not affect previously stored bucket policies. Public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.

Fix - Buildtime

Terraform

  • Resource: aws_s3_bucket_public_access_block
  • Argument: restrict_public_buckets
resource "aws_s3_bucket_public_access_block" "artifacts" {
  ...
+ restrict_public_buckets = true
}

CloudFormation

  • Resource: AWS::S3::Bucket
  • Argument: Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets
Type: 'AWS::S3::Bucket'
    Properties:
      ...
      PublicAccessBlockConfiguration:
        ...
+       RestrictPublicBuckets: true