AWS Amazon S3 Account Public Access Block

This page shows how to write Terraform and CloudFormation for Amazon S3 Account Public Access Block and write them securely.

aws_s3_account_public_access_block (Terraform)

The Account Public Access Block in Amazon S3 can be configured in Terraform with the resource name aws_s3_account_public_access_block. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

restrict_s3_public.tf#L2
resource "aws_s3_account_public_access_block" "example" {
  block_public_acls   = true
  block_public_policy = true
storage.tf#L2
resource "aws_s3_account_public_access_block" "global_block_public_access" {
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls  = true
}

s3_account_public_access_block.tf#L1
resource "aws_s3_account_public_access_block" "storage_account" {
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls  = true
}

main.tf#L7
resource "aws_s3_account_public_access_block" "lambda_tf_way_s3_bucket_access" {
  ignore_public_acls = true
  block_public_acls = true
  block_public_policy = true
  restrict_public_buckets = true
}
s3.tf#L6
resource "aws_s3_account_public_access_block" "strict" {
  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Manages S3 account-level Public Access Block configuration. For more information about these settings, see the AWS S3 Block Public Access documentation.

NOTE: Each AWS account may only have one S3 Public Access Block configuration. Multiple configurations of the resource against the same AWS account will cause a perpetual difference. -> Advanced usage: To use a custom API endpoint for this Terraform resource, use the s3control endpoint provider configuration, not the s3 endpoint provider configuration.

Tips: Best Practices for The Other AWS Amazon S3 Resources

In addition to the aws_s3_bucket_public_access_block, AWS Amazon S3 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_s3_bucket_public_access_block

Ensure S3 bucket-level Public Access Block restricts public bucket policies

It is better to enable S3 bucket-level Public Access Block if you don't need public buckets.

risk-label

aws_s3_bucket

Ensure S3 bucket access policy is well configured

It is better to configure the S3 bucket access policy properly to limit it unless explicitly required.

Review your AWS Amazon S3 settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::S3::AccessPoint PublicAccessBlockConfiguration (CloudFormation)

The AccessPoint PublicAccessBlockConfiguration in S3 can be configured in CloudFormation with the resource name AWS::S3::AccessPoint PublicAccessBlockConfiguration. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

BlockPublicAcls Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior:

  • PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.
  • PUT Object calls fail if the request includes a public ACL.
  • PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
    Required: No
    Type: Boolean
    Update requires: Replacement

BlockPublicPolicy Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
Required: No
Type: Boolean
Update requires: Replacement

IgnorePublicAcls Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
Required: No
Type: Boolean
Update requires: Replacement

RestrictPublicBuckets Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
Required: No
Type: Boolean
Update requires: Replacement

Explanation in CloudFormation Registry

The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.

Frequently asked questions

What is AWS Amazon S3 Account Public Access Block?

AWS Amazon S3 Account Public Access Block is a resource for Amazon S3 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon S3 Account Public Access Block?

For Terraform, the stootles/mylabs, raulmanzas/text-extraction-4fun and wellcomecollection/storage-service source code examples are useful. See the Terraform Example section for further details.