rspec/rules/S6281/javascript/rule.adoc

By default S3 buckets are private, it means that only the bucket owner can access it.

This access control can be relaxed with ACLs or policies.

To prevent permissive policies or ACLs to be set on a S3 bucket the following booleans settings can be enabled:

* `blockPublicAcls`: to block or not public ACLs to be set to the S3 bucket.
* `ignorePublicAcls`: to consider or not existing public ACLs set to the S3 bucket.
* `blockPublicPolicy`: to block or not public policies to be set to the S3 bucket.
* `restrictPublicBuckets`: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket owner account.

The other attribute `BlockPublicAccess.BLOCK_ACLS` only turns on `blockPublicAcls` and `ignorePublicAcls`. The public policies can still affect the S3 bucket.


However, all of those options can be enabled by setting the `blockPublicAccess` property of the S3 bucket to `BlockPublicAccess.BLOCK_ALL`.


include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

It's recommended to configure:

* `blockPublicAcls` to `True` to block new attempts to set public ACLs.
* `ignorePublicAcls` to `True` to block existing public ACLs.
* `blockPublicPolicy` to `True` to block new attempts to set public policies.
* `restrictPublicBuckets` to `True` to restrict existing public policies.


== Sensitive Code Example

By default, when not set, the `blockPublicAccess` is fully deactivated (nothing is blocked):

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket'
}); // Sensitive
----

This `block_public_access` allows public ACL to be set:

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : false, // Sensitive
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});
----

The attribute `BLOCK_ACLS` only blocks and ignores public ACLs:

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS // Sensitive
});
----

== Compliant Solution

This `blockPublicAccess` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
});
----

A similar configuration to the one above can be obtained by setting all parameters of the `blockPublicAccess`

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : true,
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});
----

include::../see.adoc[]

* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BlockPublicAccess.html[AWS CDK version 2] - BlockPublicAccess
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Primary locations
** Make sure allowing public ACL/policies to be set is safe here.
** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
* Secondary location
** Propagated setting.


=== Highlighting

* Primary locations
** aws_cdk.aws_s3.Bucket constructor
** aws_cdk.aws_s3.Bucket.blockPublicAccess property
*** BlockPublicAccess.BLOCK_ACLS
*** 'blockPublicAcls', 'blockPublicPolicy', 'ignorePublicAcls', 'restrictPublicBuckets' properties of BlockPublicAccess set to False

* Secondary location
** Propagated setting.


endif::env-github,rspecator-view[]