S3 Bucket Without Restriction Of Public Bucket
- Query id: 1ec253ab-c220-4d63-b2de-5b40e0af9293
- Query name: S3 Bucket Without Restriction Of Public Bucket
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
S3 bucket without restriction of public bucket
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_s3_bucket" "positive1" {
bucket = "example"
}
// comment
resource "aws_s3_bucket_public_access_block" "positive2" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
restrict_public_buckets = false
}
resource "aws_s3_bucket_public_access_block" "positive3" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
}
Positive test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
restrict_public_buckets = false
versioning = {
enabled = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}
Positive test num. 3 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_s3_bucket" "negative1" {
bucket = "example"
}
resource "aws_s3_bucket_public_access_block" "negative2" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
restrict_public_buckets = true
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
restrict_public_buckets = true
versioning = {
enabled = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}