S3 Access Block should Ignore Public Acl

Explanation

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

Possible Impact

PUT calls with public ACLs specified can make objects public

Suggested Resolution

Enable ignoring the application of public ACLs in PUT calls

Insecure Example

The following example will fail the AVD-AWS-0091 check.

---
Resources:
  BadExample:
    Properties:
      AccessControl: AuthenticatedRead
    Type: AWS::S3::Bucket

Secure Example

The following example will pass the AVD-AWS-0091 check.

---
Resources:
  GoodExample:
    Properties:
      AccessControl: Private
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
    Type: AWS::S3::Bucket


Getting Started
Services