S3 Bucket Allows List Action From All Principals

• Query id: d395a950-12ce-4314-a742-ac5a785ab44e
• Query name: S3 Bucket Allows List Action From All Principals
• Platform: Ansible
• Severity: High
• Category: Access Control
• URL: Github

Description

S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: ListObject
        Principal: "*"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Allow
        Action: ListObject
        Principal: NotAll