AWS S3 Block Public Access RestrictPublicBuckets Disabled (CKV_AWS_5)

High Risk Infrastructure Security
awss3public-accessdata-exposurebucket-policyaccess-controlterraformcloudformationcheckovckv-aws-5

What it is

A critical security vulnerability where Amazon S3 Block Public Access settings are not configured to restrict public bucket policies. This leaves S3 buckets vulnerable to accidental or malicious public exposure through permissive bucket policies that could grant public or cross-account access to sensitive data. Without RestrictPublicBuckets enabled, bucket policies can override access controls and expose private data to unauthorized external access.

# VULNERABLE: S3 bucket without Block Public Access (CKV_AWS_5)
resource "aws_s3_bucket" "user_uploads" {
  bucket = "company-user-uploads"
  
  # VULNERABLE: Missing aws_s3_bucket_public_access_block
  
  tags = {
    Environment = "production"
  }
}

# VULNERABLE: CloudFormation without Block Public Access
Resources:
  UserUploadsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: company-user-uploads
      # VULNERABLE: Missing PublicAccessBlockConfiguration
      Tags:
        - Key: Environment
          Value: production
# SECURE: S3 bucket with Block Public Access (CKV_AWS_5)
resource "aws_s3_bucket" "user_uploads" {
  bucket = "company-user-uploads"
  
  tags = {
    Environment = "production"
  }
}

# SECURE: Enable Block Public Access
resource "aws_s3_bucket_public_access_block" "user_uploads" {
  bucket = aws_s3_bucket.user_uploads.id
  
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true  # CKV_AWS_5
}

# SECURE: CloudFormation with Block Public Access
Resources:
  UserUploadsBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: company-user-uploads
      # SECURE: Enable Block Public Access
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true  # CKV_AWS_5
      Tags:
        - Key: Environment
          Value: production

💡 Why This Fix Works

The vulnerable examples show S3 buckets created without Block Public Access settings, violating CKV_AWS_5 and leaving buckets vulnerable to public exposure through policy misconfigurations. The secure implementations enable comprehensive Block Public Access protection with encryption and additional security controls.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

These AWS CLI commands demonstrate how to check and configure Block Public Access settings, verify bucket security, and audit existing buckets for potential public access issues.

Why it happens

S3 buckets are created without configuring Block Public Access settings, relying only on bucket policies and ACLs for access control. This commonly occurs when developers are unaware of Block Public Access features or when using older infrastructure templates that predate these security controls. Without these protections, misconfigured bucket policies can inadvertently expose data.

Root causes

Default S3 Configuration Without Block Public Access

S3 buckets are created without configuring Block Public Access settings, relying only on bucket policies and ACLs for access control. This commonly occurs when developers are unaware of Block Public Access features or when using older infrastructure templates that predate these security controls. Without these protections, misconfigured bucket policies can inadvertently expose data.

Missing Block Public Access in Infrastructure Code

Infrastructure as Code templates (Terraform, CloudFormation) define S3 buckets without aws_s3_bucket_public_access_block resources or PublicAccessBlockConfiguration properties. This often happens when using basic examples or when security requirements are not clearly documented in infrastructure standards and templates.

Incomplete Understanding of S3 Access Controls

Teams configure bucket policies without understanding how Block Public Access settings provide an additional layer of protection. They may believe that proper bucket policies are sufficient, not realizing that Block Public Access acts as a safety net against policy misconfigurations and prevents accidental public exposure.

Fixes

1

Enable S3 Block Public Access

Configure Block Public Access settings on all S3 buckets by setting restrict_public_buckets = true in aws_s3_bucket_public_access_block resources in Terraform, or RestrictPublicBuckets: true in CloudFormation PublicAccessBlockConfiguration. This prevents bucket policies from granting public access even if policies are misconfigured.

2

Implement Account-Level Block Public Access

Enable Block Public Access at the account level using aws_s3_account_public_access_block in Terraform or AWS CLI commands. This provides organization-wide protection and ensures all buckets inherit secure defaults. Consider enabling all four Block Public Access settings for comprehensive protection.

3

Establish S3 Security Governance

Create organizational policies using AWS Config rules, Service Control Policies (SCPs), or infrastructure scanning tools like Checkov to automatically detect and require Block Public Access on all S3 buckets. Implement security reviews for any legitimate public access requirements.

Detect This Vulnerability in Your Code

Sourcery automatically identifies aws s3 block public access restrictpublicbuckets disabled (ckv_aws_5) and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities