S3 Bucket Allows Put Action From All Principals
- Query id: a0f1bfe0-741e-473f-b3b2-13e66f856fab
- Query name: S3 Bucket Allows Put Action From All Principals
- Platform: Ansible
- Severity: High
- Category: Access Control
- URL: Github
Description¶
S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Bucket
amazon.aws.s3_bucket:
name: mys3bucket
state: present
policy:
Version: "2020-10-07"
Statement:
- Effect: Allow
Action: PutObject
Principal: "*"