S3 Bucket Should Have Bucket Policy

  • Query id: 37fa8188-738b-42c8-bf82-6334ea567738
  • Query name: S3 Bucket Should Have Bucket Policy
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Insecure Defaults
  • URL: Github

Description

Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  S3Bucket3:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    Properties:
      BucketName: docexamplebucket1
  SampleBucketPolicy5:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: docexamplebucketfail
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: docexamplebucket1
                  - /*
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    Properties: {}
  SampleBucketPolicy2:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: docexamplebucket2
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: docexamplebucket
                  - /*
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
  S3Bucket7:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    Properties:
      BucketName: docexamplebucket5
  SampleBucketPolicy8:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref docexamplebucketfail2
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: docexamplebucket1
                  - /*
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
Postitive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "SampleBucketPolicy8": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "docexamplebucketfail2",
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "docexamplebucket1"
                    },
                    "/*"
                  ]
                ]
              },
              "Principal": "*",
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              }
            }
          ]
        }
      }
    },
    "S3Bucket3": {
      "Type": "AWS::S3::Bucket",
      "DeletionPolicy": "Retain",
      "Properties": {
        "BucketName": "docexamplebucket1"
      }
    },
    "SampleBucketPolicy5": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "docexamplebucketfail"
        },
        "PolicyDocument": {
          "Statement": [
            {
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              },
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "docexamplebucket1"
                    },
                    "/*"
                  ]
                ]
              },
              "Principal": "*"
            }
          ]
        }
      }
    },
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "DeletionPolicy": "Retain",
      "Properties": {}
    },
    "SampleBucketPolicy2": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "docexamplebucket2",
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "docexamplebucket"
                    },
                    "/*"
                  ]
                ]
              },
              "Principal": "*",
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              }
            }
          ]
        }
      }
    },
    "S3Bucket7": {
      "DeletionPolicy": "Retain",
      "Properties": {
        "BucketName": "docexamplebucket5"
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}
Postitive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  MyS3Bucket2:
    Type: 'AWS::S3::Bucket'
    Properties:
      AccessControl: PublicRead
      MetricsConfigurations:
        - Id: EntireBucket
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
        RoutingRules:
          - RoutingRuleCondition:
              HttpErrorCodeReturnedEquals: '404'
              KeyPrefixEquals: out1/
            RedirectRule:
              HostName: ec2-11-22-333-44.compute-1.amazonaws.com
              ReplaceKeyPrefixWith: report-404/

Postitive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "MyS3Bucket2": {
      "Properties": {
        "AccessControl": "PublicRead",
        "MetricsConfigurations": [
          {
            "Id": "EntireBucket"
          }
        ],
        "WebsiteConfiguration": {
          "ErrorDocument": "error.html",
          "IndexDocument": "index.html",
          "RoutingRules": [
            {
              "RedirectRule": {
                "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com",
                "ReplaceKeyPrefixWith": "report-404/"
              },
              "RoutingRuleCondition": {
                "HttpErrorCodeReturnedEquals": "404",
                "KeyPrefixEquals": "out1/"
              }
            }
          ]
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    Properties:
      BucketName: docexamplebucket
  SampleBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: docexamplebucket
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: docexamplebucket
                  - /*
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
  S3Bucket9:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    Properties:
      BucketName: docexamplebucket
  SampleBucketPolicy10:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref docexamplebucket
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: docexamplebucket
                  - /*
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "DeletionPolicy": "Retain",
      "Properties": {
        "BucketName": "docexamplebucket"
      }
    },
    "SampleBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "docexamplebucket",
        "PolicyDocument": {
          "Statement": [
            {
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "docexamplebucket"
                    },
                    "/*"
                  ]
                ]
              },
              "Principal": "*",
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              },
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow"
            }
          ]
        }
      }
    },
    "S3Bucket9": {
      "Type": "AWS::S3::Bucket",
      "DeletionPolicy": "Retain",
      "Properties": {
        "BucketName": "docexamplebucket"
      }
    },
    "SampleBucketPolicy10": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Principal": "*",
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              },
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "docexamplebucket"
                    },
                    "/*"
                  ]
                ]
              }
            }
          ]
        },
        "Bucket": "docexamplebucket"
      }
    }
  }
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
  MyS3Bucket22:
    Type: 'AWS::S3::Bucket'
    Properties:
      AccessControl: PublicRead
      MetricsConfigurations:
        - Id: EntireBucket
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
        RoutingRules:
          - RoutingRuleCondition:
              HttpErrorCodeReturnedEquals: '404'
              KeyPrefixEquals: out1/
            RedirectRule:
              HostName: ec2-11-22-333-44.compute-1.amazonaws.com
              ReplaceKeyPrefixWith: report-404/
  SampleBucketPolicy2:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyS3Bucket22
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: docexamplebucket
                  - /*
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'

Negative test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Description": "A sample template",
  "Resources": {
    "MyS3Bucket22": {
      "Properties": {
        "AccessControl": "PublicRead",
        "MetricsConfigurations": [
          {
            "Id": "EntireBucket"
          }
        ],
        "WebsiteConfiguration": {
          "ErrorDocument": "error.html",
          "IndexDocument": "index.html",
          "RoutingRules": [
            {
              "RedirectRule": {
                "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com",
                "ReplaceKeyPrefixWith": "report-404/"
              },
              "RoutingRuleCondition": {
                "HttpErrorCodeReturnedEquals": "404",
                "KeyPrefixEquals": "out1/"
              }
            }
          ]
        }
      },
      "Type": "AWS::S3::Bucket"
    },
    "SampleBucketPolicy2": {
      "Properties": {
        "Bucket": "MyS3Bucket22",
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:GetObject"
              ],
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              },
              "Effect": "Allow",
              "Principal": "*",
              "Resource": {
                "Fn::Join": [
                  "",
                  {
                    "playbooks": [
                      "arn:aws:s3:::",
                      {
                        "Ref": "docexamplebucket"
                      },
                      "/*"
                    ]
                  }
                ]
              }
            }
          ]
        }
      },
      "Type": "AWS::S3::BucketPolicy"
    }
  }
}