BOM - AWS S3 Buckets
- Query id: 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045
- Query name: BOM - AWS S3 Buckets
- Platform: Terraform
- Severity: Trace
- Category: Bill Of Materials
- CWE: 532
- URL: Github
Description¶
A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
mfa_delete = true
}
}
resource "aws_lb_listener" "listener5" {
load_balancer_arn = aws_lb.test3.arn
port = 80
default_action {
type = "redirect"
redirect {
port = "80"
protocol = "HTTP"
status_code = "HTTP_301"
}
}
}
resource "aws_lb" "test3" {
name = "test123"
load_balancer_type = "application"
subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
internal = true
}
Positive test num. 2 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "positive10" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.positive10.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_bucket_acl" "example_bucket_acl2" {
bucket = aws_s3_bucket.positive10.id
acl = "private"
}
Positive test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive2" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
versioning {
mfa_delete = true
}
}
Positive test num. 4 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive3" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Positive test num. 5 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive4" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
resource "aws_s3_bucket_public_access_block" "positive4" {
bucket = aws_s3_bucket.positive4.id
block_public_acls = true
block_public_policy = true
}
Positive test num. 6 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive5" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
resource "aws_s3_bucket_public_access_block" "positive5" {
bucket = aws_s3_bucket.positive5.id
block_public_acls = true
block_public_policy = false
}
Positive test num. 7 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive6" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}
Positive test num. 8 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive7" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
resource "aws_s3_bucket_policy" "positive7" {
bucket = aws_s3_bucket.positive7.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}
Positive test num. 9 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive8" {
bucket = "my-tf-test-bucket"
acl = "public-read"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}
resource "aws_s3_bucket_policy" "positive8" {
bucket = aws_s3_bucket.positive8.id
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal" : {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::555555555555:root"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_tf_test_bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
}
}
]
}
POLICY
}
Positive test num. 10 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}