S3 Static Website Host Enabled
- Query id: 42bb6b7f-6d54-4428-b707-666f669d94fb
- Query name: S3 Static Website Host Enabled
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- CWE: Ongoing
- URL: Github
Description¶
Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "s3-website-test.hashicorp.com"
acl = "public-read"
website {
index_document = "index.html"
error_document = "error.html"
}
}
Positive test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
website {
index_document = "index.html"
error_document = "error.html"
}
}
Positive test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "buc" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
resource "aws_s3_bucket_website_configuration" "example" {
bucket = aws_s3_bucket.buc.bucket
index_document {
suffix = "index.html"
}
error_document {
key = "error.html"
}
routing_rule {
condition {
key_prefix_equals = "docs/"
}
redirect {
replace_key_prefix_with = "documents/"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "negative1" {
bucket = "s3-website-test.hashicorp.com"
acl = "public-read"
}