Skip to main content
CRITICALS3Security

S3 Bucket Public Access

s3-bucket-public-access

What this rule checks

Detects S3 buckets with public access enabled.

How to fix it

  1. 1Enable S3 Block Public Access settings
  2. 2Review bucket policies for public access
  3. 3Use VPC endpoints for private access
FlaggedBLOCK_ACLS leaves BlockPublicPolicy and RestrictPublicBuckets false (and the bucket is unencrypted/unversioned), so the s3Buckets check emits several findings all tagged s3-bucket-public-access.
import * as s3 from 'aws-cdk-lib/aws-s3';

// Only ACLs are blocked โ€” public bucket policies and public access are
// still permitted (BlockPublicPolicy / RestrictPublicBuckets are false).
new s3.Bucket(this, 'Bucket', {
  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS,
});
FixedA fully hardened bucket โ€” BLOCK_ALL public-access, S3-managed encryption, versioning, and enforced SSL โ€” clears every s3-bucket-public-access branch, yielding zero for that ruleId. (enforceSSL adds a separate bucket-policy resource under a different rule.)
import * as s3 from 'aws-cdk-lib/aws-s3';

// Fully hardened: all four public-access blocks on, encrypted, versioned,
// and TLS enforced.
new s3.Bucket(this, 'Bucket', {
  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
  encryption: s3.BucketEncryption.S3_MANAGED,
  versioned: true,
  enforceSSL: true,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::S3::Bucket

Compliance frameworks

SOC2HIPAAPCI-DSSCISNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss s3-bucket-public-access and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "s3-bucket-public-access", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::s3-bucket-public-access',
  reason: 'Why this is intentional',
});

Use the rule ID s3-bucket-public-access shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More S3 rules