AWS S3 Block Public Access Disabled

Critical Risk Infrastructure Security
awss3public-accessdata-exposurebucket-policyaclcomplianceterraformcloudformation

What it is

A critical security vulnerability where Amazon S3 buckets or AWS accounts are configured without Block Public Access settings, allowing potential public exposure of sensitive data through bucket policies, ACLs, or access points. This creates a significant risk of data breaches, unauthorized access, and compliance violations when bucket policies or ACLs inadvertently grant public access to private data. Without Block Public Access controls, misconfigurations can expose entire buckets containing sensitive business data, personal information, or confidential documents to the internet.

# VULNERABLE: S3 bucket without Block Public Access
resource "aws_s3_bucket" "app_data" {
  bucket = "my-app-data-bucket"
  
  # VULNERABLE: Missing aws_s3_bucket_public_access_block
  
  tags = {
    Environment = "production"
  }
}

# VULNERABLE: Bucket policy with wildcard principal
resource "aws_s3_bucket_policy" "app_data_policy" {
  bucket = aws_s3_bucket.app_data.id
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect    = "Allow"
      Principal = "*"  # DANGEROUS: Allows public access
      Action    = "s3:GetObject"
      Resource  = "${aws_s3_bucket.app_data.arn}/*"
    }]
  })
}

# VULNERABLE: CloudFormation without Block Public Access
Resources:
  AppDataBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-app-data-bucket
      # VULNERABLE: Missing PublicAccessBlockConfiguration
      Tags:
        - Key: Environment
          Value: production
# SECURE: S3 bucket with Block Public Access
resource "aws_s3_bucket" "app_data" {
  bucket = "my-app-data-bucket"
  
  tags = {
    Environment = "production"
  }
}

# SECURE: Enable Block Public Access
resource "aws_s3_bucket_public_access_block" "app_data_pab" {
  bucket = aws_s3_bucket.app_data.id
  
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# SECURE: Bucket policy with specific IAM role
resource "aws_s3_bucket_policy" "app_data_policy" {
  bucket     = aws_s3_bucket.app_data.id
  depends_on = [aws_s3_bucket_public_access_block.app_data_pab]
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect    = "Allow"
      Principal = { AWS = aws_iam_role.app_role.arn }
      Action    = "s3:GetObject"
      Resource  = "${aws_s3_bucket.app_data.arn}/*"
    }]
  })
}

# SECURE: CloudFormation with Block Public Access
Resources:
  AppDataBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-app-data-bucket
      # SECURE: Enable Block Public Access
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      Tags:
        - Key: Environment
          Value: production

💡 Why This Fix Works

The vulnerable examples show S3 buckets without Block Public Access settings and potentially dangerous bucket policies with wildcard principals. The secure alternatives demonstrate comprehensive public access blocking, secure access patterns using CloudFront OAI, specific IAM principals, and monitoring for configuration changes.

Why it happens

Development teams create S3 buckets without configuring Block Public Access settings, leaving them vulnerable to accidental public exposure through bucket policies or ACLs. The default S3 configuration allows public access through explicit bucket policies, and teams may unknowingly create permissive policies that expose sensitive data to the internet.

Root causes

S3 Bucket Without Block Public Access Configuration

Development teams create S3 buckets without configuring Block Public Access settings, leaving them vulnerable to accidental public exposure through bucket policies or ACLs. The default S3 configuration allows public access through explicit bucket policies, and teams may unknowingly create permissive policies that expose sensitive data to the internet.

Account-Level Block Public Access Not Enabled

AWS accounts that don't have account-level Block Public Access settings enabled, allowing any bucket within the account to potentially become public through policy misconfigurations. This account-wide setting provides a safety net against accidental public exposure but is not enabled by default, requiring explicit configuration.

Fixes

1

Enable Block Public Access at Bucket and Account Level

Configure Block Public Access settings on both individual buckets and at the AWS account level. Set all four Block Public Access settings to true: block_public_acls, block_public_policy, ignore_public_acls, and restrict_public_buckets. This provides comprehensive protection against accidental public exposure.

2

Implement Secure Access Patterns

Use CloudFront distributions with Origin Access Identity (OAI) or Origin Access Control (OAC) for public content delivery instead of public bucket access. For programmatic access, use pre-signed URLs, IAM roles, or bucket policies with specific principal restrictions rather than public access.

3

Monitor and Alert on Public Access Changes

Set up CloudTrail logging and EventBridge rules to monitor changes to bucket policies, ACLs, and Block Public Access settings. Create automated alerts when public access is enabled or when bucket policies are modified. Use AWS Config rules to continuously monitor compliance with security policies.

Detect This Vulnerability in Your Code

Sourcery automatically identifies aws s3 block public access disabled and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities