S3 public access block turned off
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An aws_s3_bucket_public_access_block sets one of its four guards to false, re-enabling the public ACLs or bucket policies the account-level block is meant to prevent.
Why it matters
The S3 public access block is the account and bucket level guard that stops public ACLs and bucket policies from taking effect. Setting any of its four flags to false re-opens the exact exposure it exists to prevent, so a later ACL or policy mistake becomes a real public bucket. The safe posture is all four flags true.
How to fix it
Set block_public_acls, block_public_policy, ignore_public_acls, and restrict_public_buckets all to true on the aws_s3_bucket_public_access_block. If a specific object path must be public, serve it through CloudFront rather than relaxing these flags. Review why any flag was set to false before changing it, since something may currently depend on the public path.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo