Amazon S3 provides four independent Public Access Block settings to prevent public access from being granted to a bucket through ACLs or bucket policies. This rule flags S3 bucket configurations where any of these settings is set to false.

Why is this an issue?

Amazon S3 buckets are private by default, but their access control can be relaxed using ACLs or bucket policies that allow public access. Although AWS enables all four Public Access Block settings by default, infrastructure code can inadvertently re-expose a bucket by setting any of them to false.

What is the potential impact?

If public access is not fully blocked on an S3 bucket that contains sensitive data, any unauthenticated user on the internet can read, download, or exfiltrate that data. This can lead to data breaches, compliance violations, and reputational damage to the organization.

How to fix it

Code examples

Noncompliant code example

const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : false, // Noncompliant
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});

Compliant solution

const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : true,
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});

The attribute BLOCK_ACLS_ONLY only blocks and ignores public ACLs, but public policies can still affect the S3 bucket:

Noncompliant code example

const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS_ONLY // Noncompliant
});

Compliant solution

const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
});

How does this work?

The BlockPublicAccess class controls public access to an S3 bucket through four independent settings:

• blockPublicAcls: blocks new public ACLs from being set on the bucket.
• ignorePublicAcls: causes existing public ACLs on the bucket to be ignored.
• blockPublicPolicy: blocks new public bucket policies from being set.
• restrictPublicBuckets: restricts access to the bucket to principals within the bucket owner account when a public policy is in effect.

When blockPublicAccess is not set, or when new BlockPublicAccess({…​}) is used with some attributes omitted, AWS CDK defaults the missing attributes to true. The BlockPublicAccess.BLOCK_ALL preset enables all four settings explicitly, providing complete protection. The BlockPublicAccess.BLOCK_ACLS_ONLY preset only enables blockPublicAcls and ignorePublicAcls, explicitly setting blockPublicPolicy and restrictPublicBuckets to false.

Resources

Documentation

• AWS Documentation - Blocking public access to your Amazon S3 storage
• AWS CDK version 2 - BlockPublicAccess

Standards

• CWE - CWE-284 - Improper Access Control
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.