S3 Bucket ACL Allows Read Or Write to All Users
- Query id: 38c5ee0d-7f22-4260-ab72-5073048df100
- Query name: S3 Bucket ACL Allows Read Or Write to All Users
- Platform: Terraform
- Severity: Critical
- Category: Access Control
- CWE: Ongoing
- URL: Github
Description¶
S3 Buckets should not be readable and writable to all users
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "public-read"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
enabled = true
}
}
Positive test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive2" {
bucket = "my-tf-test-bucket"
acl = "public-read-write"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
enabled = true
}
}
Positive test num. 3 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "public-read"
versioning = {
enabled = true
}
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
resource "aws_s3_bucket" "example00" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_acl" "example_bucket_acl" {
bucket = aws_s3_bucket.example00.id
acl = "public-read"
}
Positive test num. 6 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
resource "aws_s3_bucket" "example000" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_acl" "example_bucket_acl" {
bucket = aws_s3_bucket.example000.id
acl = "public-read-write"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "negative1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
enabled = true
}
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
}
Negative test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
resource "aws_s3_bucket" "example0" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_acl" "example_bucket_acl" {
bucket = aws_s3_bucket.example0.id
acl = "private"
}