Primary finding
S3 BlockPublicAccess fully disabled enables unintended public exposure via ACLs/policies
highsecurityhigh
- infra/stack.py:41-46
- infra/stack.py:55-60
All four S3 Block Public Access flags are set to False. While the bucket policy does scope public read to dashboard/*, disabling ignore_public_acls and block_public_acls allows ACL-based public access and grants the possibility of broader exposure through ACLs or future policies. Best practice is to keep ACLs blocked/ignored and rely on a narrowly-scoped bucket policy for the required prefix.
Recommendation
Harden Block Public Access: set block_public_acls=True and ignore_public_acls=True to prevent any ACL-based exposure while leaving block_public_policy=False and restrict_public_buckets=False only if you must allow the dashboard/* public policy. Alternatively, keep all four flags at their secure defaults and use a scoped bucket policy for dashboard/* plus a condition (e.g., aws:Referer or IP allowlist) if feasible.