S3 Bucket With Unsecured CORS Rule
- Query id: 3609d27c-3698-483a-9402-13af6ae80583
- Query name: S3 Bucket With Unsecured CORS Rule
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: PublicRead
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- '*'
AllowedMethods:
- GET
AllowedOrigins:
- '*'
ExposedHeaders:
- Date
Id: myCORSRuleId1
MaxAge: 3600
- AllowedMethods:
- DELETE
AllowedOrigins:
- 'http://www.example.com'
- 'http://www.example.net'
ExposedHeaders:
- Connection
- Server
- Date
Id: myCORSRuleId2
MaxAge: 1800
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead",
"CorsConfiguration": {
"CorsRules": [
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposedHeaders": [
"Date"
],
"Id": "myCORSRuleId1",
"MaxAge": 3600
},
{
"AllowedMethods": [
"DELETE"
],
"AllowedOrigins": [
"http://www.example.com",
"http://www.example.net"
],
"ExposedHeaders": [
"Connection",
"Server",
"Date"
],
"Id": "myCORSRuleId2",
"MaxAge": 1800
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: PublicRead
CorsConfiguration:
CorsRules:
- AllowedMethods:
- GET
AllowedOrigins:
- 'https://s3-website-test.hashicorp.com'
ExposedHeaders:
- Date
Id: myCORSRuleId1
MaxAge: 3600
- AllowedMethods:
- DELETE
AllowedOrigins:
- 'http://www.example.com'
- 'http://www.example.net'
ExposedHeaders:
- Connection
- Server
- Date
Id: myCORSRuleId2
MaxAge: 1800
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead",
"CorsConfiguration": {
"CorsRules": [
{
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"https://s3-website-test.hashicorp.com"
],
"ExposedHeaders": [
"Date"
],
"Id": "myCORSRuleId1",
"MaxAge": 3600
},
{
"AllowedMethods": [
"DELETE"
],
"AllowedOrigins": [
"http://www.example.com",
"http://www.example.net"
],
"ExposedHeaders": [
"Connection",
"Server",
"Date"
],
"Id": "myCORSRuleId2",
"MaxAge": 1800
}
]
}
}
}
}
}