Secure S3 Buckets With Public Access Blocks In IaC

Nov 24, 2025 by Alex Johnson 51 views

Securing Your S3 Buckets with Public Access Blocks in Infrastructure as Code (IaC)

In the world of cloud computing, Amazon S3 (Simple Storage Service) is a cornerstone for storing and retrieving data. However, with great storage power comes great responsibility, especially when it comes to security. One critical aspect of securing your S3 buckets is controlling public access. This is where aws_s3_bucket_public_access_block comes into play within your Infrastructure as Code (IaC).

Understanding the Importance of Public Access Blocks

Before diving into the how, let's understand the why. S3 buckets, by default, are private. However, misconfigurations or overly permissive access control lists (ACLs) and bucket policies can inadvertently expose your data to the public internet. This can lead to data breaches, compliance violations, and reputational damage. Public access blocks act as a safety net, allowing you to centrally manage and restrict public access to your S3 buckets, regardless of individual bucket policies or ACLs.

The aws_s3_bucket_public_access_block resource in Terraform provides a robust way to enforce these restrictions. By defining this block for each of your S3 buckets, you ensure a consistent and secure configuration across your entire infrastructure. This is particularly crucial in large or complex environments where managing individual bucket permissions can become cumbersome and error-prone. In essence, public access blocks provide a centralized control mechanism, giving you peace of mind that your data remains protected.

Identifying S3 Buckets Missing Public Access Blocks

As highlighted in the initial report, several S3 buckets across different files lack the crucial aws_s3_bucket_public_access_block configuration. These files include:

iac/Terraform/aws/ec2.tf
iac/Terraform/aws/s3.tf
iac/cloudformation/insecure-example.yml

The absence of this block signifies a potential security vulnerability. While the individual bucket policies might seem secure, the lack of a public access block means that these policies can be overridden, potentially leading to unintended public exposure. It's like having a strong lock on your door but leaving the window open – an oversight that can compromise your entire security posture.

Therefore, the first step in securing your S3 buckets is to identify all instances where the aws_s3_bucket_public_access_block is missing. Tools like Veracode, as demonstrated in the report, can automatically scan your IaC configurations and flag these vulnerabilities. Regularly scanning your IaC code is a proactive approach to identify and address potential security risks before they materialize into real-world incidents.

Implementing `aws_s3_bucket_public_access_block` in Terraform

Now, let's get to the practical part – implementing the aws_s3_bucket_public_access_block in Terraform. This resource offers four key settings that control public access:

block_public_acls: When set to true, this prevents the application of new public ACLs to the bucket.
block_public_policy: When set to true, this prevents the application of new bucket policies that grant public access.
ignore_public_acls: When set to true, this ignores all public ACLs on the bucket, effectively treating them as private.
restrict_public_buckets: When set to true, this restricts access to the bucket to only AWS services and authorized users within your account.

To implement the aws_s3_bucket_public_access_block, you'll need to add a new resource block to your Terraform configuration for each S3 bucket. Here's an example:

resource "aws_s3_bucket_public_access_block" "example" {
 bucket = aws_s3_bucket.example.id
 block_public_acls = true
 block_public_policy = true
 ignore_public_acls = true
 restrict_public_buckets = true
}

In this example, we're creating a public access block for the S3 bucket named aws_s3_bucket.example. We're setting all four settings to true, which provides the most restrictive level of public access control. This means:

No new public ACLs can be applied.
No new bucket policies granting public access can be applied.
Existing public ACLs are ignored.
Access is restricted to AWS services and authorized users within your account.

Customizing the Settings:

While setting all four options to true is generally recommended for maximum security, you might need to customize these settings based on your specific use case. For instance, you might need to allow public access for specific objects within the bucket while still restricting overall bucket access. In such cases, you can adjust the block_public_policy setting while keeping the others enabled.

Applying the Block to Existing Buckets:

It's important to note that applying the aws_s3_bucket_public_access_block to an existing bucket might impact applications that rely on public access. Therefore, it's crucial to thoroughly test your changes in a non-production environment before rolling them out to production. This allows you to identify and address any compatibility issues without disrupting your live services.

Addressing the Specific Vulnerabilities in the Report

Let's revisit the files mentioned in the initial report and see how we can address the vulnerabilities.

`iac/Terraform/aws/ec2.tf`

This file contains the definition for the flowbucket S3 bucket. To secure this bucket, we need to add the aws_s3_bucket_public_access_block resource:

resource "aws_s3_bucket" "flowbucket" {
 bucket = "${local.resource_prefix.value}-flowlogs"
 force_destroy = true

 tags = merge({
 Name = "${local.resource_prefix.value}-flowlogs"
 Environment = local.resource_prefix.value
 }, {
 git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
 git_file = "terraform/aws/ec2.tf"
 git_last_modified_at = "2020-06-16 14:46:24"
 git_last_modified_by = "nimrodkor@gmail.com"
 git_modifiers = "nimrodkor"
 git_org = "bridgecrewio"
 git_repo = "terragoat"
 yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1"
 })
}

resource "aws_s3_bucket_public_access_block" "flowbucket_public_access_block" {
 bucket = aws_s3_bucket.flowbucket.id
 block_public_acls = true
 block_public_policy = true
 ignore_public_acls = true
 restrict_public_buckets = true
}

We've added a new resource block, aws_s3_bucket_public_access_block, and associated it with the flowbucket S3 bucket using bucket = aws_s3_bucket.flowbucket.id. We've also set all four public access control settings to true.

`iac/Terraform/aws/s3.tf`

This file contains definitions for multiple S3 buckets, including data, financials, operations, data_science, and logs. We need to add a aws_s3_bucket_public_access_block resource for each of these buckets.

Here's an example of how to add the block for the data bucket:

resource "aws_s3_bucket" "data" {
 # bucket is public
 # bucket is not encrypted
 # bucket does not have access logs
 # bucket does not have versioning
 bucket = "${local.resource_prefix.value}-data"
 force_destroy = true
 tags = merge({
 Name = "${local.resource_prefix.value}-data"
 Environment = local.resource_prefix.value
 }, {
 git_commit = "4d57f83ca4d3a78a44fb36d1dcf0d23983fa44f5"
 git_file = "terraform/aws/s3.tf"
 git_last_modified_at = "2022-05-18 07:08:06"
 git_last_modified_by = "nimrod@bridgecrew.io"
 git_modifiers = "34870196+LironElbaz/nimrod/nimrodkor"
 git_org = "bridgecrewio"
 git_repo = "terragoat"
 yor_trace = "0874007d-903a-4b4c-945f-c9c233e13243"
 })
}

resource "aws_s3_bucket_public_access_block" "data_public_access_block" {
 bucket = aws_s3_bucket.data.id
 block_public_acls = true
 block_public_policy = true
 ignore_public_acls = true
 restrict_public_buckets = true
}

You'll need to repeat this process for the remaining buckets in this file, ensuring that each bucket has its corresponding aws_s3_bucket_public_access_block resource.

`iac/cloudformation/insecure-example.yml`

This file uses CloudFormation, not Terraform. Therefore, we need to use the AWS::S3::BucketPublicAccessBlock resource in CloudFormation to achieve the same result.

Here's how you can add the public access block to the mybucketVulnerable bucket in CloudFormation:

Resources:
 mybucketVulnerable:
 Type: "AWS::S3::Bucket"
 DeletionPolicy: Retain
 Properties:
 ReplicationConfiguration:
 Role:
 Fn::GetAtt:
 - WorkItemBucketBackupRole
 - Arn
 Rules:
 - Destination:
 Bucket:
 Fn::Join:
 - ""
 - - "arn:aws:s3:::"
 - "Fn::Join":
 - "-"
 - - Ref: "AWS::Region"
 - Ref: "AWS::StackName"
 - replicationbucket
 StorageClass: STANDARD
 Id: Backup
 Prefix: ""
 Status: Enabled
 VersioningConfiguration:
 Status: Enabled
 BucketPublicAccessBlock:
 BlockPublicAcls: true
 BlockPublicPolicy: true
 IgnorePublicAcls: true
 RestrictPublicBuckets: true
 WorkItemBucketBackupRole:
 Type: "AWS::IAM::Role"
 Properties:
 AssumeRolePolicyDocument:
 Statement:

We've added the BucketPublicAccessBlock property to the mybucketVulnerable resource and set all four settings (BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, and RestrictPublicBuckets) to true.

Best Practices for Managing S3 Bucket Security

Implementing public access blocks is a significant step towards securing your S3 buckets, but it's not the only measure you should take. Here are some additional best practices:

Principle of Least Privilege: Always grant the minimum necessary permissions to users and applications. Avoid using wildcard characters ( * ) in your bucket policies and ACLs.
Regular Audits: Regularly review your S3 bucket configurations, including bucket policies, ACLs, and public access blocks, to ensure they align with your security requirements.
Enable Versioning: Enabling versioning allows you to recover from accidental deletions or overwrites. It also provides an audit trail of changes made to your objects.
Enable Encryption: Encrypt your data at rest and in transit to protect it from unauthorized access. S3 offers several encryption options, including server-side encryption (SSE) and client-side encryption.
Use Access Logs: Enable access logging to track requests made to your S3 buckets. This information can be valuable for security analysis and troubleshooting.
Implement Multi-Factor Authentication (MFA): Require MFA for sensitive operations, such as deleting buckets or changing bucket policies.
Monitor and Alert: Set up monitoring and alerting for suspicious activity in your S3 buckets. This allows you to quickly detect and respond to potential security incidents.

By following these best practices, you can create a robust security posture for your S3 buckets and protect your data from unauthorized access.

Conclusion

Securing your S3 buckets is paramount in today's cloud-centric world. The aws_s3_bucket_public_access_block resource in Terraform and the AWS::S3::BucketPublicAccessBlock resource in CloudFormation provide powerful tools for managing public access and preventing data breaches. By implementing these resources and following the best practices outlined in this article, you can significantly enhance the security of your S3 buckets and protect your valuable data.

Remember, security is not a one-time fix but an ongoing process. Regularly review your configurations, stay updated on the latest security threats, and adapt your security measures accordingly. By making security a priority, you can ensure the confidentiality, integrity, and availability of your data in the cloud.

For more in-depth information on AWS S3 security best practices, consider exploring the official AWS S3 Security Documentation.