include::description.adoc[] include::../ask-yourself.adoc[] include::recommended.adoc[] == Sensitive Code Example By default, when not set, the `blockPublicAccess` is fully deactivated (nothing is blocked): [source,javascript] ---- const s3 = require('aws-cdk-lib/aws-s3'); new s3.Bucket(this, 'id', { bucketName: 'bucket' }); // Sensitive ---- This `block_public_access` allows public ACL to be set: [source,javascript] ---- const s3 = require('aws-cdk-lib/aws-s3'); new s3.Bucket(this, 'id', { bucketName: 'bucket', blockPublicAccess: new s3.BlockPublicAccess({ blockPublicAcls : false, // Sensitive blockPublicPolicy : true, ignorePublicAcls : true, restrictPublicBuckets : true }) }); ---- The attribute `BLOCK_ACLS` only blocks and ignores public ACLs: [source,javascript] ---- const s3 = require('aws-cdk-lib/aws-s3'); new s3.Bucket(this, 'id', { bucketName: 'bucket', blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS // Sensitive }); ---- == Compliant Solution This `blockPublicAccess` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies: [source,javascript] ---- const s3 = require('aws-cdk-lib/aws-s3'); new s3.Bucket(this, 'id', { bucketName: 'bucket', blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL }); ---- A similar configuration to the one above can be obtained by setting all parameters of the `blockPublicAccess` [source,javascript] ---- const s3 = require('aws-cdk-lib/aws-s3'); new s3.Bucket(this, 'id', { bucketName: 'bucket', blockPublicAccess: new s3.BlockPublicAccess({ blockPublicAcls : true, blockPublicPolicy : true, ignorePublicAcls : true, restrictPublicBuckets : true }) }); ---- include::../see.adoc[] * https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BlockPublicAccess.html[AWS CDK version 2] - BlockPublicAccess ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::message.adoc[] include::highlighting.adoc[] endif::env-github,rspecator-view[]