Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

CloudFormation static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your CLOUDFORMATION code

Allowing public ACLs or policies on a S3 bucket is security-sensitive

intentionality - complete

security

Security Hotspot

By default S3 buckets are private, it means that only the bucket owner can access it.

This access control can be relaxed with ACLs or policies.

To prevent permissive policies to be set on a S3 bucket the following settings can be configured:

BlockPublicAcls: to block or not public ACLs to be set to the S3 bucket.
IgnorePublicAcls: to consider or not existing public ACLs set to the S3 bucket.
BlockPublicPolicy: to block or not public policies to be set to the S3 bucket.
RestrictPublicBuckets: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket owner account.

Ask Yourself Whether

The S3 bucket stores sensitive data.
The S3 bucket is not used to store static resources of websites (images, css …).
Many users have the permission to set ACL or policy to the S3 bucket.
These settings are not already enforced to true at the account level.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to configure:

BlockPublicAcls to true to block new attempts to set public ACLs.
IgnorePublicAcls to true to block existing public ACLs.
BlockPublicPolicy to true to block new attempts to set public policies.
RestrictPublicBuckets to true to restrict existing public policies.

Sensitive Code Example

By default, when not set, the PublicAccessBlockConfiguration is fully deactivated (nothing is blocked):

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucketdefault:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties:
      BucketName: "example"

This PublicAccessBlockConfiguration allows public ACL to be set:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties:
      BucketName: "example"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: false # should be true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Compliant Solution

This PublicAccessBlockConfiguration blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Compliant
    Properties:
      BucketName: "example"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

See

AWS Documentation - Blocking public access to your Amazon S3 storage
CWE - CWE-284 - Improper Access Control
STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.2

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.2

In-IDE

SaaS

Self-Hosted