S3 Bucket Without Restriction Of Public Bucket

  • Query id: 1ec253ab-c220-4d63-b2de-5b40e0af9293
  • Query name: S3 Bucket Without Restriction Of Public Bucket
  • Platform: Terraform
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 284
  • Risk score: 6.2
  • URL: Github

Description

S3 bucket without restriction of public bucket
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
// account is defined, and does NOT explicit
// set `restrict_public_buckets` to `true`
resource "aws_s3_account_public_access_block" "restrict_public" {
  account_id      = 250924516109
}

// bucket resource is defined and sets `restrict_public_buckets` to `false`
resource "aws_s3_bucket_public_access_block" "restrict_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}
Positive test num. 2 - tf file
// account is defined, and does NOT explicit
// set `restrict_public_buckets` to `true`
resource "aws_s3_account_public_access_block" "restrict_public" {
  account_id      = 250924516109
  restrict_public_buckets = false
}

// bucket resource is defined and sets `restrict_public_buckets` to `false`
resource "aws_s3_bucket_public_access_block" "restrict_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
// account is defined, and explicit
// set `restrict_public_buckets` to `true`
resource "aws_s3_account_public_access_block" "restrict_public" {
  account_id      = 250924516109
  restrict_public_buckets = true
}

// bucket resource is defined and sets `restrict_public_buckets` to `false`
resource "aws_s3_bucket_public_access_block" "restrict_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}
Negative test num. 2 - tf file
// `aws_s3_account_public_access_block` is NOT defined
// bucket resource is defined and sets `restrict_public_buckets` to `false`
resource "aws_s3_bucket_public_access_block" "restrict_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}