S3 Bucket Allows Get Action From All Principals
- Query id: 53bce6a8-5492-4b1b-81cf-664385f0c4bf
- Query name: S3 Bucket Allows Get Action From All Principals
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Bucket
amazon.aws.s3_bucket:
name: mys3bucket
state: present
policy:
Version: "2020-10-07"
Statement:
- Effect: Allow
Action: GetObject
Principal: "*"