S3 Bucket Allows Delete Action From All Principals

• Query id: 6fa44721-ef21-41c6-8665-330d59461163
• Query name: S3 Bucket Allows Delete Action From All Principals
• Platform: Ansible
• Severity: Critical
• Category: Access Control
• CWE: 732
• URL: Github

Description

S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: DeleteObject
        Principal: "*"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Deny
        Action: DeleteObject
        Principal: '*'