AWS Amazon S3 Bucket Public Access Block

This page shows how to write Terraform and CloudFormation for Amazon S3 Bucket Public Access Block and write them securely.

aws_s3_bucket_public_access_block (Terraform)

The Bucket Public Access Block in Amazon S3 can be configured in Terraform with the resource name aws_s3_bucket_public_access_block. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

aws_s3_bucket_public_access_block.tf#L2
resource "aws_s3_bucket_public_access_block" "s3_access_logs" {
  bucket                  = aws_s3_bucket.s3_access_logs.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
test.tf#L5
resource "aws_s3_bucket_public_access_block" "mycompliants6281_publicaccess" {
  bucket = aws_s3_bucket.mycompliants6281.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
s3.tf#L85
resource "aws_s3_bucket_public_access_block" "prod_media" {
  bucket                  = aws_s3_bucket.prod_media.id
  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
S3.tf#L21
resource "aws_s3_bucket_public_access_block" "block_main_bucket" {
  bucket = aws_s3_bucket.main_bucket.id
  block_public_acls   = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
main.tf#L21
resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_s3_bucket_public_access_block

There are 3 settings in aws_s3_bucket_public_access_block that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure S3 bucket-level Public Access Block restricts public bucket policies

It is better to enable S3 bucket-level Public Access Block if you don't need public buckets.

risk-label

Ensure PUT calls with public ACLs for your S3 bucket are blocked

It is better to block the calls with S3 Bucket-level Public Access Block.

risk-label

Ensure PUT calls with a public policy for your S3 bucket are blocked

It is better to block PUT calls with a public policy for your S3 bucket.

Review your AWS Amazon S3 settings

You can check if the aws_s3_bucket_public_access_block setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages S3 bucket-level Public Access Block configuration. For more information about these settings, see the AWS S3 Block Public Access documentation.

Tips: Best Practices for The Other AWS Amazon S3 Resources

In addition to the aws_s3_bucket, AWS Amazon S3 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_s3_bucket

Ensure S3 bucket access policy is well configured

It is better to configure the S3 bucket access policy properly to limit it unless explicitly required.

Review your AWS Amazon S3 settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::S3::Bucket PublicAccessBlockConfiguration (CloudFormation)

The Bucket PublicAccessBlockConfiguration in S3 can be configured in CloudFormation with the resource name AWS::S3::Bucket PublicAccessBlockConfiguration. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

BlockPublicAcls Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior:

  • PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.
  • PUT Object calls fail if the request includes a public ACL.
  • PUT Bucket calls fail if the request includes a public ACL. Enabling this setting doesn't affect existing policies or ACLs.
    Required: No
    Type: Boolean
    Update requires: No interruption

BlockPublicPolicy Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
Required: No
Type: Boolean
Update requires: No interruption

IgnorePublicAcls Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
Required: No
Type: Boolean
Update requires: No interruption

RestrictPublicBuckets Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
Required: No
Type: Boolean
Update requires: No interruption

Explanation in CloudFormation Registry

The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.

Frequently asked questions

What is AWS Amazon S3 Bucket Public Access Block?

AWS Amazon S3 Bucket Public Access Block is a resource for Amazon S3 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon S3 Bucket Public Access Block?

For Terraform, the semnil/terraform-aws-example, SonarSource/sonar-iac and skoleapp/skole-infra source code examples are useful. See the Terraform Example section for further details.