AWS Amazon S3 Bucket Public Access Block
This page shows how to write Terraform and CloudFormation for Amazon S3 Bucket Public Access Block and write them securely.
aws_s3_bucket_public_access_block (Terraform)
The Bucket Public Access Block in Amazon S3 can be configured in Terraform with the resource name aws_s3_bucket_public_access_block. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_s3_bucket_public_access_block" "s3_access_logs" {
bucket = aws_s3_bucket.s3_access_logs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
resource "aws_s3_bucket_public_access_block" "mycompliants6281_publicaccess" {
bucket = aws_s3_bucket.mycompliants6281.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
resource "aws_s3_bucket_public_access_block" "prod_media" {
bucket = aws_s3_bucket.prod_media.id
block_public_acls = true
ignore_public_acls = true
block_public_policy = true
restrict_public_buckets = true
resource "aws_s3_bucket_public_access_block" "block_main_bucket" {
bucket = aws_s3_bucket.main_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
resource "aws_s3_bucket_public_access_block" "access_good_1" {
bucket = aws_s3_bucket.bucket_good_1.id
block_public_acls = true
block_public_policy = true
}
Security Best Practices for aws_s3_bucket_public_access_block
There are 3 settings in aws_s3_bucket_public_access_block that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure S3 bucket-level Public Access Block restricts public bucket policies
It is better to enable S3 bucket-level Public Access Block if you don't need public buckets.
Ensure PUT calls with public ACLs for your S3 bucket are blocked
It is better to block the calls with S3 Bucket-level Public Access Block.
Ensure PUT calls with a public policy for your S3 bucket are blocked
It is better to block PUT calls with a public policy for your S3 bucket.
Parameters
-
block_public_aclsoptional - bool -
block_public_policyoptional - bool -
bucketrequired - string -
idoptional computed - string -
ignore_public_aclsoptional - bool -
restrict_public_bucketsoptional - bool
Explanation in Terraform Registry
Manages S3 bucket-level Public Access Block configuration. For more information about these settings, see the AWS S3 Block Public Access documentation.
Tips: Best Practices for The Other AWS Amazon S3 Resources
In addition to the aws_s3_bucket, AWS Amazon S3 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_s3_bucket
Ensure S3 bucket access policy is well configured
It is better to configure the S3 bucket access policy properly to limit it unless explicitly required.
AWS::S3::Bucket PublicAccessBlockConfiguration (CloudFormation)
The Bucket PublicAccessBlockConfiguration in S3 can be configured in CloudFormation with the resource name AWS::S3::Bucket PublicAccessBlockConfiguration. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
BlockPublicAcls
Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. Setting this element to TRUE causes the following behavior:
- PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public.
- PUT Object calls fail if the request includes a public ACL.
- PUT Bucket calls fail if the request includes a public ACL.
Enabling this setting doesn't affect existing policies or ACLs.
Required: No
Type: Boolean
Update requires: No interruption
BlockPublicPolicy
Specifies whether Amazon S3 should block public bucket policies for this bucket. Setting this element to TRUE causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
Enabling this setting doesn't affect existing bucket policies.
Required: No
Type: Boolean
Update requires: No interruption
IgnorePublicAcls
Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.
Enabling this setting doesn't affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set.
Required: No
Type: Boolean
Update requires: No interruption
RestrictPublicBuckets
Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
Enabling this setting doesn't affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked.
Required: No
Type: Boolean
Update requires: No interruption
Explanation in CloudFormation Registry
The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. For more information about when Amazon S3 considers a bucket or object public, see The Meaning of "Public" in the Amazon S3 User Guide.
Frequently asked questions
What is AWS Amazon S3 Bucket Public Access Block?
AWS Amazon S3 Bucket Public Access Block is a resource for Amazon S3 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon S3 Bucket Public Access Block?
For Terraform, the semnil/terraform-aws-example, SonarSource/sonar-iac and skoleapp/skole-infra source code examples are useful. See the Terraform Example section for further details.
