AWS076 - S3 Access block should block public policy

Written by tfsec

Explanation

S3 bucket policy should have block public policy to prevent users from PUTing a policy that enable public access.

Insecure Example

The following example will fail the AWS076 check.

resource "aws_s3_bucket_public_access_block" "bad_example" {
	bucket = aws_s3_bucket.example.id
}

resource "aws_s3_bucket_public_access_block" "bad_example" {
	bucket = aws_s3_bucket.example.id
  
	block_public_policy = false
}

Secure Example

The following example will pass the AWS076 check.

resource "aws_s3_bucket_public_access_block" "good_example" {
	bucket = aws_s3_bucket.example.id
  
	block_public_policy = true
}

Related Links

• https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy

---