S3 Bucket Without SSL In Write Actions
- Query id: 38c64e76-c71e-4d92-a337-60174d1de1c9
- Query name: S3 Bucket Without SSL In Write Actions
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: 's3:GetObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
Bucket: !Ref S3Bucket
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket
- DomainName
Description: Name of S3 bucket to hold website content
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket2:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket2
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: EnsureSSL
Effect: Deny
Principal: '*'
Action: 's3:PutObject'
Condition:
Bool:
'aws:SecureTransport': true
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket2
- /*
Bucket: !Ref S3Bucket2
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket2
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket2
- DomainName
Description: Name of S3 bucket to hold website content
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket3:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket3
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
S3Bucket4:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket4
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: EnsureSSL
Effect: Allow
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': false
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket3
- /*
Bucket: !Ref S3Bucket3
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket3
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket3
- DomainName
Description: Name of S3 bucket to hold website content
Positive test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket5:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket5
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
S3Bucket6:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket6
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket
- DomainName
Description: Name of S3 bucket to hold website content
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyPolicy",
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket",
"/*"
]
]
}
]
},
"Bucket": "S3Bucket"
}
},
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "S3Bucket",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
}
},
"Outputs": {
"WebsiteURL": {
"Value": [
"S3Bucket",
"WebsiteURL"
],
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": [
"",
[
"https://",
[
"S3Bucket",
"DomainName"
]
]
],
"Description": "Name of S3 bucket to hold website content"
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"S3Bucket2": {
"Properties": {
"BucketName": "S3Bucket2",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket"
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyPolicy",
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Sid": "EnsureSSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Condition": {
"Bool": {
"aws:SecureTransport": true
}
},
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket2",
"/*"
]
]
}
]
},
"Bucket": "S3Bucket2"
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": [
"S3Bucket2",
"WebsiteURL"
],
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": [
"",
[
"https://",
[
"S3Bucket2",
"DomainName"
]
]
],
"Description": "Name of S3 bucket to hold website content"
}
}
}
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Id": "MyPolicy",
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Sid": "EnsureSSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket3",
"/*"
]
]
}
]
},
"Bucket": "S3Bucket3"
}
},
"S3Bucket3": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "S3Bucket3",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
},
"S3Bucket4": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "S3Bucket4",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
}
},
"Outputs": {
"WebsiteURL": {
"Value": [
"S3Bucket3",
"WebsiteURL"
],
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": [
"",
[
"https://",
[
"S3Bucket3",
"DomainName"
]
]
],
"Description": "Name of S3 bucket to hold website content"
}
}
}
Positive test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"S3Bucket5": {
"Properties": {
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket"
},
"S3Bucket6": {
"Properties": {
"BucketName": "S3Bucket6",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"ErrorDocument": "error.html",
"IndexDocument": "index.html"
}
},
"DeletionPolicy": "Retain",
"Type": "AWS::S3::Bucket"
}
},
"Outputs": {
"WebsiteURL": {
"Value": [
"S3Bucket",
"WebsiteURL"
],
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": [
"",
[
"https://",
[
"S3Bucket",
"DomainName"
]
]
],
"Description": "Name of S3 bucket to hold website content"
}
}
}
Positive test num. 9 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket33:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket33,
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Effect: Allow
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': false
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket33
- /*
Bucket: !Ref S3Bucket33
Positive test num. 10 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"BucketPolicy": {
"Properties": {
"Bucket": "S3Bucket33",
"PolicyDocument": {
"Id": "MyPolicy",
"Statement": {
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Effect": "Allow",
"Principal": "*",
"Resource": [
"",
{
"playbooks": [
"arn:aws:s3:::",
"S3Bucket3",
"/*"
]
}
]
},
"Version": "2012-10-17"
}
},
"Type": "AWS::S3::BucketPolicy"
},
"S3Bucket33": {
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "S3Bucket33",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"ErrorDocument": "error.html",
"IndexDocument": "index.html"
}
},
"Type": "AWS::S3::Bucket"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: 's3:GetObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
- Sid: EnsureSSL
Effect: Deny
Principal: '*'
Action: 's3:PutObject'
Condition:
Bool:
'aws:SecureTransport': false
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
Bucket: !Ref S3Bucket
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket
- DomainName
Description: Name of S3 bucket to hold website content
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket2:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket2
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: EnsureSSL
Effect: Deny
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': false
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket2
- /*
Bucket: !Ref S3Bucket2
S3Bucket3:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy2:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy2
Version: 2012-10-17
Statement:
- Sid: EnsureSSL
Effect: Deny
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': false
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket3
- /*
Bucket: !Ref S3Bucket3
Outputs:
WebsiteURL:
Value: !GetAtt
- S3Bucket2
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ''
- - 'https://'
- !GetAtt
- S3Bucket2
- DomainName
Description: Name of S3 bucket to hold website content
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "S3Bucket",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "S3Bucket",
"PolicyDocument": {
"Id": "MyPolicy",
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Sid": "PublicReadForGetBucketObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket",
"/*"
]
]
},
{
"Principal": "*",
"Action": "s3:PutObject",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket",
"/*"
]
],
"Sid": "EnsureSSL",
"Effect": "Deny"
}
]
}
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": [
"S3Bucket",
"WebsiteURL"
],
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Description": "Name of S3 bucket to hold website content",
"Value": [
"",
[
"https://",
[
"S3Bucket",
"DomainName"
]
]
]
}
}
}
Negative test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket33:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket33
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
Effect: Deny
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': false
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket3
- /*
Bucket: !Ref S3Bucket33
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"S3Bucket2": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "S3Bucket2",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "S3Bucket2",
"PolicyDocument": {
"Statement": [
{
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket2",
"/*"
]
],
"Sid": "EnsureSSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*"
}
],
"Id": "MyPolicy",
"Version": "2012-10-17T00:00:00Z"
}
}
},
"S3Bucket3": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
},
"DeletionPolicy": "Retain"
},
"BucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17T00:00:00Z",
"Statement": [
{
"Principal": "*",
"Action": "s3:*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket3",
"/*"
]
],
"Sid": "EnsureSSL",
"Effect": "Deny"
}
],
"Id": "MyPolicy2"
},
"Bucket": "S3Bucket3"
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": [
"S3Bucket2",
"WebsiteURL"
],
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": [
"",
[
"https://",
[
"S3Bucket2",
"DomainName"
]
]
],
"Description": "Name of S3 bucket to hold website content"
}
}
}
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket88"
},
"PolicyDocument": {
"Statement": [
{
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
},
"Resource": [
"",
[
"arn:aws:s3:::",
"S3Bucket2",
"/*"
]
],
"Sid": "EnsureSSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*"
}
],
"Id": "MyPolicy",
"Version": "2012-10-17T00:00:00Z"
}
}
},
"S3Bucket88": {
"DeletionPolicy": "Retain",
"Properties": {
"BucketName": "S3Bucket88",
"AccessControl": "PublicRead",
"WebsiteConfiguration": {
"ErrorDocument": "error.html",
"IndexDocument": "index.html"
}
},
"Type": "AWS::S3::Bucket"
}
}
}
Negative test num. 7 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket88:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket88
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17T00:00:00Z
Statement:
Effect: Deny
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': false
Bucket: !Ref S3Bucket88
Negative test num. 8 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket88:
Type: AWS::S3::Bucket
Properties:
BucketName: S3Bucket88
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
DeletionPolicy: Retain
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17T00:00:00Z
Statement:
Effect: Allow
Principal: '*'
Action: 's3:*'
Condition:
Bool:
'aws:SecureTransport': true
Bucket: !Ref S3Bucket88