S3 Bucket Allows List Action From All Principals
- Query id: faa8fddf-c0aa-4b2d-84ff-e993e233ebe9
- Query name: S3 Bucket Allows List Action From All Principals
- Platform: CloudFormation
- Severity: High
- Category: Access Control
- CWE: 200
- URL: Github
Description¶
S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
Resources:
SampleBucketPolicy3:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action: "ListObject"
Effect: Allow
Resource: "*"
Principal: "*"
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
SampleBucketPolicy4:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- "ListObject"
- "GetObject"
Effect: Allow
Resource: "*"
Principal: "*"
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Positive test num. 2 - json file
{
"Resources": {
"SampleBucketPolicy5": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": "ListObject",
"Effect": "Allow",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
},
"SampleBucketPolicy6": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"ListObject",
"GetObject"
],
"Effect": "Allow",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
Resources:
SampleBucketPolicy1:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref DOC-EXAMPLE-BUCKET
PolicyDocument:
Statement:
- Action:
- 's3:ListObject'
Effect: Deny
Resource: '*'
Principal: '*'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Negative test num. 2 - json file
{
"Resources": {
"SampleBucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "DOC-EXAMPLE-BUCKET"
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListObject"
],
"Effect": "Deny",
"Resource": "*",
"Principal": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}