S3 bucket without ignore public ACL
This product is not supported for your selected
Datadog site. (
).
Id: 6c8d51af-218d-4bfb-94a9-94eabaa0703a
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Insecure Configurations
Learn More
Description
S3 buckets should ignore public ACLs to prevent object or bucket-level ACLs from granting unintended public access. Public ACLs can lead to accidental data exposure.
In CloudFormation, the AWS::S3::Bucket resource must include PublicAccessBlockConfiguration.IgnorePublicAcls and it must be set to true. Resources missing PublicAccessBlockConfiguration, missing the IgnorePublicAcls property, or with IgnorePublicAcls: false will be flagged.
Secure configuration example:
MyBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: my-bucket
PublicAccessBlockConfiguration:
IgnorePublicAcls: true
Compliant Code Examples
Resources:
Bucket1:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls : true
BlockPublicPolicy : true
IgnorePublicAcls : true
RestrictPublicBuckets : true
{
"Resources": {
"Bucket1": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"AccessControl": "Private"
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"Bucket1": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": true,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": true
},
"AccessControl": "Private"
}
}
}
}
Resources:
Bucket11:
Type: AWS::S3::Bucket
Properties:
---
Resources:
Bucket12:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicPolicy : true
RestrictPublicBuckets : true
---
Resources:
Bucket13:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy : true
IgnorePublicAcls : false
RestrictPublicBuckets : true
