S3 Bucket With All Permissions
- Query id: 6a6d7e56-c913-4549-b5c5-5221e624d2ec
- Query name: S3 Bucket With All Permissions
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: Create s3 bucket
amazon.aws.s3_bucket:
name: mys3bucket
policy:
Id: "id113"
Version: "2012-10-17"
Statement:
- Action: "s3:*"
Effect: "Allow"
Resource: "arn:aws:s3:::S3B_181355/*"
Principal: "*"
requester_pays: yes
versioning: yes