S3 Bucket With Unsecured CORS Rule

Query id: 3609d27c-3698-483a-9402-13af6ae80583
Query name: S3 Bucket With Unsecured CORS Rule
Platform: CloudFormation
Severity: High
Category: Insecure Configurations
URL: Github

Description¶

If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file

Re

Postitive test num. 2 - json file

AWSTemplateFormatVersion: 2010-09-09 sources: S3Bucket: Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead CorsConfiguration: class="w">        CorsRules: - AllowedHeaders: - '*' AllowedMethods: - GET AllowedOrigins: - '*' ExposedHeaders: - Date Id: myCORSRuleId1 MaxAge: 3600 - AllowedMethods: - DELETE AllowedOrigins: - 'http://www.example.com' - 'http://www.example.net' ExposedHeaders: - Connection - Server - Date Id: myCORSRuleId2 MaxAge: 1800 { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "S3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "CorsConfiguration": { class="w">          "CorsRules": [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposedHeaders": [ "Date" ], "Id": "myCORSRuleId1", "MaxAge": 3600 }, { "AllowedMethods": [ "DELETE" ], "AllowedOrigins": [ "http://www.example.com", "http://www.example.net" ], "ExposedHeaders": [ "Connection", "Server", "Date" ], "Id": "myCORSRuleId2", "MaxAge": 1800 } ] } } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      AccessControl: PublicRead
      CorsConfiguration:
        CorsRules:
          - AllowedMethods:
              - GET
            AllowedOrigins:
              - 'https://s3-website-test.hashicorp.com'
            ExposedHeaders:
              - Date
            Id: myCORSRuleId1
            MaxAge: 3600
          - AllowedMethods:
              - DELETE
            AllowedOrigins:
              - 'http://www.example.com'
              - 'http://www.example.net'
            ExposedHeaders:
              - Connection
              - Server
              - Date
            Id: myCORSRuleId2
            MaxAge: 1800

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "AccessControl": "PublicRead",
        "CorsConfiguration": {
          "CorsRules": [
            {
              "AllowedMethods": [
                "GET"
              ],
              "AllowedOrigins": [
                "https://s3-website-test.hashicorp.com"
              ],
              "ExposedHeaders": [
                "Date"
              ],
              "Id": "myCORSRuleId1",
              "MaxAge": 3600
            },
            {
              "AllowedMethods": [
                "DELETE"
              ],
              "AllowedOrigins": [
                "http://www.example.com",
                "http://www.example.net"
              ],
              "ExposedHeaders": [
                "Connection",
                "Server",
                "Date"
              ],
              "Id": "myCORSRuleId2",
              "MaxAge": 1800
            }
          ]
        }
      }
    }
  }
}