S3 Bucket with Unsecured CORS Rule

  • Query id: 3505094c-f77c-4ba0-95da-f83db712f86c
  • Query name: S3 Bucket with Unsecured CORS Rule
  • Platform: Ansible
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 710
  • URL: Github

Description

If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create s3 bucket2
  community.aws.aws_s3_cors:
    name: mys3bucket
    state: present
    rules:
      - allowed_origins:
          - http://www.example.com/
        allowed_methods:
          - GET
          - POST
          - PUT
          - DELETE
          - HEAD
        allowed_headers:
          - Authorization
        expose_headers:
          - x-amz-server-side-encryption
          - x-amz-request-id
        max_age_seconds: 30000
Positive test num. 2 - yaml file
- name: Create s3 bucket4
  aws_s3_cors:
    name: mys3bucket2
    state: present
    rules:
      - allowed_origins:
          - http://www.example.com/
        allowed_methods:
          - GET
          - POST
          - PUT
          - DELETE
          - HEAD
        allowed_headers:
          - Authorization
        expose_headers:
          - x-amz-server-side-encryption
          - x-amz-request-id
        max_age_seconds: 30000

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create s3 bucket
  community.aws.aws_s3_cors:
    name: mys3bucket3
    state: present
    rules:
      - allowed_origins:
          - http://www.example.com/
        allowed_methods:
          - GET
          - POST
        allowed_headers:
          - Authorization
        expose_headers:
          - x-amz-server-side-encryption
          - x-amz-request-id
        max_age_seconds: 30000
Negative test num. 2 - yaml file
- name: Create s3 bucket1
  aws_s3_cors:
    name: mys3bucket4
    state: present
    rules:
      - allowed_origins:
          - http://www.example.com/
        allowed_methods:
          - GET
          - POST
        allowed_headers:
          - Authorization
        expose_headers:
          - x-amz-server-side-encryption
          - x-amz-request-id
        max_age_seconds: 30000