Link Search Menu Expand Document

S3 Bucket has an ACL defined which allows public access.

Explanation

S3 bucket permissions should be set to deny public access unless explicitly required.

Granting write access publicly with public-read-write is especially dangerous as you will be billed for any uploaded files.

Additionally, you should not use the authenticated-read canned ACL, as this provides read access to any authenticated AWS user, not just AWS users within your organisation.

Insecure Example

The following example will fail the AWS001 check.

resource "aws_s3_bucket" "my-bucket" {
	acl = "public-read"
}

Secure Example

The following example will pass the AWS001 check.

resource "aws_s3_bucket" "my-bucket" {
	acl = "private"
}