S3 Bucket Allows List Action From All Principals

Query id: faa8fddf-c0aa-4b2d-84ff-e993e233ebe9
Query name: S3 Bucket Allows List Action From All Principals
Platform: CloudFormation
Severity: High
Category: Access Control
CWE: 200
URL: Github

Description¶

S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< Re

Positive test num. 2 - json file

/span>

#this is a problematic code where the query should report a result(s) sources: SampleBucketPolicy3: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref DOC-EXAMPLE-BUCKET class="w">      PolicyDocument: Statement: - Action: "ListObject" Effect: Allow Resource: "*" Principal: "*" Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' SampleBucketPolicy4: Type: 'AWS::S3::BucketPolicy' Properties: Bucket: !Ref DOC-EXAMPLE-BUCKET class="w">      PolicyDocument: Statement: - Action: - "ListObject" - "GetObject" Effect: Allow Resource: "*" Principal: "*" Condition: StringLike: 'aws:Referer': - 'http://www.example.com/*' - 'http://example.net/*' /span>{ "Resources": { "SampleBucketPolicy5": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "DOC-EXAMPLE-BUCKET" }, class="w">        "PolicyDocument": { "Statement": [ { "Action": "ListObject", "Effect": "Allow", "Resource": "*", "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } }, "SampleBucketPolicy6": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": { "Ref": "DOC-EXAMPLE-BUCKET" }, class="w">        "PolicyDocument": { "Statement": [ { "Action": [ "ListObject", "GetObject" ], "Effect": "Allow", "Resource": "*", "Principal": "*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.example.com/*", "http://example.net/*" ] } } } ] } } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file#this code is a correct code for which the query should not find any result
Resources:
  SampleBucketPolicy1:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref DOC-EXAMPLE-BUCKET
      PolicyDocument:
        Statement:
          - Action:
              - 's3:ListObject'
            Effect: Deny
            Resource: '*'
            Principal: '*'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'

Negative test num. 2 - json file{
  "Resources": {
    "SampleBucketPolicy2": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "DOC-EXAMPLE-BUCKET"
        },
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:ListObject"
              ],
              "Effect": "Deny",
              "Resource": "*",
              "Principal": "*",
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              }
            }
          ]
        }
      }
    }
  }
}