S3 Bucket ACL Grants WRITE_ACP Permission
- Query id: 64a222aa-7793-4e40-915f-4b302c76e4d4
- Query name: S3 Bucket ACL Grants WRITE_ACP Permission
- Platform: Terraform
- Severity: Critical
- Category: Access Control
- URL: Github
Description¶
S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "aws_canonical_user_id" "current" {}
resource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
access_control_policy {
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
permission = "WRITE_ACP"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}
Positive test num. 2 - tf file
data "aws_canonical_user_id" "current" {}
resource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
access_control_policy {
grant {
grantee {
id = data.aws_canonical_user_id.current.id
type = "CanonicalUser"
}
permission = "READ"
}
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
permission = "WRITE_ACP"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "aws_canonical_user_id" "current" {}
resource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
access_control_policy {
grant {
grantee {
id = data.aws_canonical_user_id.current.id
type = "CanonicalUser"
}
permission = "READ"
}
grant {
grantee {
type = "Group"
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
}
permission = "READ_ACP"
}
owner {
id = data.aws_canonical_user_id.current.id
}
}
}