S3 Bucket With All Permissions

  • Query id: a4966c4f-9141-48b8-a564-ffe9959945bc
  • Query name: S3 Bucket With All Permissions
  • Platform: Terraform
  • Severity: Critical
  • Category: Access Control
  • CWE: 250
  • URL: Github

Description

S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_s3_bucket" "positive1" {
  bucket = "S3B_181355"
  acl    = "private"

  policy = <<EOF
    {
      "Id": "id113",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "s3:*"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::S3B_181355/*",
          "Principal": "*"
        }
      ]
    }
  EOF
}
Positive test num. 2 - tf file
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"
  version = "3.7.0"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

  policy = <<EOF
    {
      "Id": "id113",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "s3:*"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::S3B_181355/*",
          "Principal": "*"
        }
      ]
    }
  EOF
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_s3_bucket" "negative1" {
  bucket = "S3B_181355"
  acl    = "private"

  policy = <<EOF
    {
      "Id": "id113",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "s3:putObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::S3B_181355/*",
          "Principal": "*"
        }
      ]
    }
  EOF
}
Negative test num. 2 - tf file
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"
  version = "3.7.0"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

  policy = <<EOF
    {
      "Id": "id113",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "s3:putObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::S3B_181355/*",
          "Principal": "*"
        }
      ]
    }
  EOF
}