S3 Bucket Allows Put Action From All Principals

  • Query id: a0f1bfe0-741e-473f-b3b2-13e66f856fab
  • Query name: S3 Bucket Allows Put Action From All Principals
  • Platform: Ansible
  • Severity: Critical
  • Category: Access Control
  • URL: Github

Description

S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: "2020-10-07"
      Statement:
      - Effect: Allow
        Action: PutObject
        Principal: "*"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    policy:
      Version: '2020-10-07'
      Statement:
      - Effect: Allow
        Action: PutObject
        Principal: NotAll