S3 Bucket Should Have Bucket Policy
- Query id: 37fa8188-738b-42c8-bf82-6334ea567738
- Query name: S3 Bucket Should Have Bucket Policy
- Platform: CloudFormation
- Severity: Medium
- Category: Insecure Defaults
- URL: Github
Description¶
Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
S3Bucket3:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
BucketName: docexamplebucket1
SampleBucketPolicy5:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket:
Ref: docexamplebucketfail
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: docexamplebucket1
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties: {}
SampleBucketPolicy2:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: docexamplebucket2
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: docexamplebucket
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
S3Bucket7:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
BucketName: docexamplebucket5
SampleBucketPolicy8:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref docexamplebucketfail2
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: docexamplebucket1
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"SampleBucketPolicy8": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "docexamplebucketfail2",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "docexamplebucket1"
},
"/*"
]
]
},
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
},
"S3Bucket3": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "docexamplebucket1"
}
},
"SampleBucketPolicy5": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "docexamplebucketfail"
},
"PolicyDocument": {
"Statement": [
{
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "docexamplebucket1"
},
"/*"
]
]
},
"Principal": "*"
}
]
}
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {}
},
"SampleBucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "docexamplebucket2",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "docexamplebucket"
},
"/*"
]
]
},
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
},
"S3Bucket7": {
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "docexamplebucket5"
},
"Type": "AWS::S3::Bucket"
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
MyS3Bucket2:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: PublicRead
MetricsConfigurations:
- Id: EntireBucket
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
RoutingRules:
- RoutingRuleCondition:
HttpErrorCodeReturnedEquals: '404'
KeyPrefixEquals: out1/
RedirectRule:
HostName: ec2-11-22-333-44.compute-1.amazonaws.com
ReplaceKeyPrefixWith: report-404/
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"MyS3Bucket2": {
"Properties": {
"AccessControl": "PublicRead",
"MetricsConfigurations": [
{
"Id": "EntireBucket"
}
],
"WebsiteConfiguration": {
"ErrorDocument": "error.html",
"IndexDocument": "index.html",
"RoutingRules": [
{
"RedirectRule": {
"HostName": "ec2-11-22-333-44.compute-1.amazonaws.com",
"ReplaceKeyPrefixWith": "report-404/"
},
"RoutingRuleCondition": {
"HttpErrorCodeReturnedEquals": "404",
"KeyPrefixEquals": "out1/"
}
}
]
}
},
"Type": "AWS::S3::Bucket"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
BucketName: docexamplebucket
SampleBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: docexamplebucket
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: docexamplebucket
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
S3Bucket9:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
Properties:
BucketName: docexamplebucket
SampleBucketPolicy10:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref docexamplebucket
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: docexamplebucket
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "docexamplebucket"
}
},
"SampleBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "docexamplebucket",
"PolicyDocument": {
"Statement": [
{
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "docexamplebucket"
},
"/*"
]
]
},
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Action": [
"s3:GetObject"
],
"Effect": "Allow"
}
]
}
}
},
"S3Bucket9": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "docexamplebucket"
}
},
"SampleBucketPolicy10": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "docexamplebucket"
},
"/*"
]
]
}
}
]
},
"Bucket": "docexamplebucket"
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: A sample template
Resources:
MyS3Bucket22:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: PublicRead
MetricsConfigurations:
- Id: EntireBucket
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
RoutingRules:
- RoutingRuleCondition:
HttpErrorCodeReturnedEquals: '404'
KeyPrefixEquals: out1/
RedirectRule:
HostName: ec2-11-22-333-44.compute-1.amazonaws.com
ReplaceKeyPrefixWith: report-404/
SampleBucketPolicy2:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref MyS3Bucket22
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: docexamplebucket
- /*
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "A sample template",
"Resources": {
"MyS3Bucket22": {
"Properties": {
"AccessControl": "PublicRead",
"MetricsConfigurations": [
{
"Id": "EntireBucket"
}
],
"WebsiteConfiguration": {
"ErrorDocument": "error.html",
"IndexDocument": "index.html",
"RoutingRules": [
{
"RedirectRule": {
"HostName": "ec2-11-22-333-44.compute-1.amazonaws.com",
"ReplaceKeyPrefixWith": "report-404/"
},
"RoutingRuleCondition": {
"HttpErrorCodeReturnedEquals": "404",
"KeyPrefixEquals": "out1/"
}
}
]
}
},
"Type": "AWS::S3::Bucket"
},
"SampleBucketPolicy2": {
"Properties": {
"Bucket": "MyS3Bucket22",
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": {
"Fn::Join": [
"",
{
"playbooks": [
"arn:aws:s3:::",
{
"Ref": "docexamplebucket"
},
"/*"
]
}
]
}
}
]
}
},
"Type": "AWS::S3::BucketPolicy"
}
}
}