Terraform Public Bucket Acl
Description
Identifies AWS S3 buckets configured with public access through ACL policies in Terraform code. Public bucket permissions can allow unauthorized access to sensitive data stored in S3 buckets, potentially leading to data breaches.
Detection Strategy
• Identifies Terraform resources of type 'aws_s3_bucket_acl'
• Examines the 'access_control_policy' configuration block within the resource
• Reports a vulnerability if the ACL settings grant public access permissions
• Specifically checks access control policies that allow unrestricted public read or write access to the bucket
Vulnerable code example
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
access_control_policy {
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/global/AllUsers" # Security risk: Grants access to all users on the internet
}...✅ Secure code example
# Block all forms of public access to the bucket
resource "aws_s3_bucket_public_access_block" "example" {
bucket = aws_s3_bucket.example.id
block_public_acls = true # Prevents public ACLs from being added
block_public_policy = true # Prevents public bucket policies
ignore_public_acls = true
restrict_public_buckets = true
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.