S3 Bucket With All Permissions

• Query id: 6a6d7e56-c913-4549-b5c5-5221e624d2ec
• Query name: S3 Bucket With All Permissions
• Platform: Ansible
• Severity: Critical
• Category: Access Control
• URL: Github

Description

S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

---
- name: Create s3 bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy:
      Id: "id113"
      Version: "2012-10-17"
      Statement:
      - Action: "s3:*"
        Effect: "Allow"
        Resource: "arn:aws:s3:::S3B_181355/*"
        Principal: "*"
    requester_pays: yes
    versioning: yes

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Create s3 bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    policy:
      Id: id113
      Version: '2012-10-17'
      Statement:
      - Action: s3:put
        Effect: Allow
        Resource: arn:aws:s3:::S3B_181355/*
        Principal: '*'
    requester_pays: yes
    versioning: yes