S3 Bucket Allows Delete Action From All Principals
- Query id: 6fa44721-ef21-41c6-8665-330d59461163
- Query name: S3 Bucket Allows Delete Action From All Principals
- Platform: Ansible
- Severity: Critical
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Bucket
amazon.aws.s3_bucket:
name: mys3bucket
state: present
policy:
Version: "2020-10-07"
Statement:
- Effect: Allow
Action: DeleteObject
Principal: "*"