S3 bucket allows public policy
This product is not supported for your selected
Datadog site. (
).
Id: 860ba89b-b8de-4e72-af54-d6aee4138a69
Cloud Provider: AWS
Platform: CloudFormation
Severity: High
Category: Access Control
Learn More
Description
S3 buckets should block public bucket policies to prevent bucket policies from granting public access. Public bucket policies can expose objects or other sensitive data.
For AWS::S3::Bucket resources, Properties.PublicAccessBlockConfiguration.BlockPublicPolicy must be set to true. Resources missing PublicAccessBlockConfiguration, or with BlockPublicPolicy: false, will be flagged.
Secure configuration example:
MyBucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicPolicy: true
Compliant Code Examples
Resources:
Bucket1:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls : true
BlockPublicPolicy : true
IgnorePublicAcls : true
RestrictPublicBuckets : true
{
"Resources": {
"Bucket1": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"AccessControl": "Private"
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"Bucket1": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": true
},
"AccessControl": "Private"
}
}
}
}
Resources:
Bucket11:
Type: AWS::S3::Bucket
Properties:
---
Resources:
Bucket12:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
RestrictPublicBuckets : true
---
Resources:
Bucket13:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy : false
IgnorePublicAcls : false
RestrictPublicBuckets : true
