--- title: S3 bucket without restriction of public bucket description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket without restriction of public bucket --- # S3 bucket without restriction of public bucket {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-s3-bucket-without-restriction-of-public-bucket` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) ### Description{% #description %} This check verifies whether public access to an Amazon S3 bucket is properly restricted using the `restrict_public_buckets` attribute within the `aws_s3_bucket_public_access_block` resource. If `restrict_public_buckets` is set to `false` or omitted, as shown below, the bucket may still be publicly accessible through policies, even if other public access blocks are enabled: ``` resource "aws_s3_bucket_public_access_block" "example" { bucket = aws_s3_bucket.example.id block_public_acls = true block_public_policy = true restrict_public_buckets = false } ``` Leaving public bucket restriction disabled increases the risk of unintended data exposure, as users could still attach bucket policies that override ACLs and grant public access. To mitigate this vulnerability and ensure S3 buckets cannot be made public by any means, the `restrict_public_buckets` attribute should be explicitly set to `true`: ``` resource "aws_s3_bucket_public_access_block" "example" { bucket = aws_s3_bucket.example.id block_public_acls = true block_public_policy = true restrict_public_buckets = true } ``` Failure to enforce this protection may lead to unauthorized access to sensitive data stored in S3, resulting in data breaches and compliance violations. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_s3_bucket" "negative1" { bucket = "example" } resource "aws_s3_bucket_public_access_block" "negative2" { bucket = aws_s3_bucket.example.id block_public_acls = true block_public_policy = true restrict_public_buckets = true } ``` ```terraform module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" bucket = "my-s3-bucket" acl = "private" restrict_public_buckets = true versioning = { enabled = true } policy = <