CloudTrail Log Files S3 Bucket is Publicly Accessible
- Query id: bd0088a5-c133-4b20-b129-ec9968b16ef3
- Query name: CloudTrail Log Files S3 Bucket is Publicly Accessible
- Platform: Terraform
- Severity: High
- Category: Observability
- CWE: 668
- URL: Github
Description¶
CloudTrail Log Files S3 Bucket should not be publicly accessible
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
data "aws_caller_identity" "current" {}
resource "aws_cloudtrail" "foobar" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.b.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
acl = "public-read"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
Positive test num. 2 - tf file
variable "aws_access_key" {}
variable "aws_secret_key" {}
variable "private_key_path" {}
variable "key_name" {}
variable "region" {
default = "us-west-2"
}
provider "aws" {
access_key = var.aws_access_key
secret_key = var.aws_secret_key
region = var.region
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
versioning = {
enabled = true
}
bucket = "my_bucket"
acl = "public-read"
}
Positive test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
versioning = {
enabled = true
}
bucket = "my_bucket"
acl = "public-read"
}
resource "aws_cloudtrail" "foobar2" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.bb.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "bb" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_acl" "example_bucket_acl" {
bucket = aws_s3_bucket.bb.id
acl = "public-read"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
data "aws_caller_identity" "current2" {}
resource "aws_cloudtrail" "foobar2" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.b2.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "b2" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
Negative test num. 2 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_cloudtrail" "foobar4" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.bbb.id
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_s3_bucket" "bb" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_acl" "example_bucket_acl2" {
bucket = aws_s3_bucket.bbb.id
acl = "private"
}