← all rules

iac/cloudformation/cfn-s3-public-access-block-disabled

S3 public access block is disabled

mediumCloudFormationiac-cloudformation

What it detects

Setting any of `BlockPublicAcls`, `BlockPublicPolicy`, `IgnorePublicAcls`, or `RestrictPublicBuckets` to `false` weakens the guardrail that stops a bucket from accidentally becoming public.

Remediation

Keep all four `PublicAccessBlockConfiguration` flags `true` unless you have a documented reason to serve objects publicly.

How it runs

Run against YAML/JSON files that look like CloudFormation templates (AWSTemplateFormatVersion, or Resources + an AWS:: type). Line-based checks; the security-group rule tracks ingress-vs-egress context. Non-template YAML/JSON is skipped.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.