S3 Bucket Allows List Action From All Principals

  • Query id: d395a950-12ce-4314-a742-ac5a785ab44e
  • Query name: S3 Bucket Allows List Action From All Principals
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • CWE: 200
  • URL: Github

Description

S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: ListObject
        Principal: "*"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Allow
        Action: ListObject
        Principal: NotAll