include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example By default, when not set, the ``++aws_s3_bucket_public_access_block++`` is fully deactivated (nothing is blocked): [source,terraform] ---- resource "aws_s3_bucket" "example" { # Sensitive: no Public Access Block defined for this bucket bucket = "example" } ---- This ``++aws_s3_bucket_public_access_block++`` allows public ACL to be set: [source,terraform] ---- resource "aws_s3_bucket" "example" { # Sensitive bucket = "examplename" } resource "aws_s3_bucket_public_access_block" "example-public-access-block" { bucket = aws_s3_bucket.example.id block_public_acls = false # should be true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } ---- == Compliant Solution This ``++aws_s3_bucket_public_access_block++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies: [source,terraform] ---- resource "aws_s3_bucket" "example" { bucket = "example" } resource "aws_s3_bucket_public_access_block" "example-public-access-block" { bucket = aws_s3_bucket.example.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Primary locations ** Make sure allowing public ACL/policies to be set is safe here. ** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here. * Secondary location ** Set this property to true ** Related bucket === Highlighting * Primary locations ** aws_s3_bucket_public_access_block ** aws_s3_bucket resource * Secondary location ** block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets properties set to false ** aws_s3_bucket resource endif::env-github,rspecator-view[]