S3 Bucket ACL Allows Read Or Write to All Users
- Query id: 07dda8de-d90d-469e-9b37-1aca53526ced
- Query name: S3 Bucket ACL Allows Read Or Write to All Users
- Platform: CloudFormation
- Severity: Critical
- Category: Access Control
- URL: Github
Description¶
S3 Buckets should not be readable and writable to all users
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
JenkinsArtifacts01:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicReadWrite
BucketName: jenkins-artifacts
Tags:
- Key: CostCenter
Value: ITEngineering
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
StaticPage01:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicReadWrite
BucketName: public-read-static-page01
WebsiteConfiguration:
ErrorDocument: 404.html
IndexDocument: index.html
Tags:
- Key: CostCenter
Value: ITEngineering
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
JenkinsArtifacts02:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicReadWrite
BucketName: jenkins-artifacts-block-public
PublicAccessBlockConfiguration:
BlockPublicPolicy: false
VersioningConfiguration:
Status: Enabled
Tags:
- Key: CostCenter
Value: ITEngineering
- Key: Type
Value: CICD
Positive test num. 4 - yaml file
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"JenkinsArtifacts01": {
"Properties": {
"Tags": [
{
"Key": "CostCenter",
"Value": "ITEngineering"
}
],
"AccessControl": "PublicReadWrite",
"BucketName": "jenkins-artifacts"
},
"Type": "AWS::S3::Bucket"
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"StaticPage01": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite",
"BucketName": "public-read-static-page01",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "404.html"
},
"Tags": [
{
"Key": "CostCenter",
"Value": "ITEngineering"
}
]
}
}
}
}
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"JenkinsArtifacts02": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite",
"BucketName": "jenkins-artifacts-block-public",
"PublicAccessBlockConfiguration": {
"BlockPublicPolicy": false
},
"VersioningConfiguration": {
"Status": "Enabled"
},
"Tags": [
{
"Key": "CostCenter",
"Value": "ITEngineering"
},
{
"Key": "Type",
"Value": "CICD"
}
]
}
}
}
}
Positive test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"S3BucketForWebsiteContent": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicReadWrite",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "error.html"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
JenkinsArtifacts03:
Type: AWS::S3::Bucket
Properties:
AccessControl: BucketOwnerFullControl
BucketName: jenkins-artifacts
VersioningConfiguration:
Status: Enabled
Tags:
- Key: CostCenter
Value: ITEngineering
- Key: Type
Value: CICD
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
JenkinsArtifacts04:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: jenkins-secret-artifacts
VersioningConfiguration:
Status: Enabled
Tags:
- Key: CostCenter
Value: ''
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
JenkinsArtifacts05:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: jenkins-secret-artifacts2
VersioningConfiguration:
Status: Enabled
Tags:
- Key: CostCenter
Value: ITEngineering
Negative test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Description: Creating S3 bucket
Resources:
StaticPage03:
Type: AWS::S3::Bucket
Properties:
AccessControl: AuthenticatedRead
BucketName: public-read-static-page
WebsiteConfiguration:
ErrorDocument: 404.html
IndexDocument: index.html
Tags:
- Key: CostCenter
Value: ITEngineering
Outputs:
WebsiteURL:
Value:
Fn::GetAtt:
- StaticPage03
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value:
Fn::Join:
- ""
- - https://
- Fn::GetAtt:
- StaticPage03
- DomainName
Description: Name of S3 bucket to hold website content
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"JenkinsArtifacts03": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "jenkins-artifacts",
"VersioningConfiguration": {
"Status": "Enabled"
},
"Tags": [
{
"Key": "CostCenter",
"Value": "ITEngineering"
},
{
"Value": "CICD",
"Key": "Type"
}
],
"AccessControl": "BucketOwnerFullControl"
}
}
}
}
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"JenkinsArtifacts04": {
"Type": "AWS::S3::Bucket",
"Properties": {
"Tags": [
{
"Key": "CostCenter",
"Value": ""
}
],
"AccessControl": "Private",
"BucketName": "jenkins-secret-artifacts",
"VersioningConfiguration": {
"Status": "Enabled"
}
}
}
}
}
Negative test num. 7 - json file
{
"Resources": {
"JenkinsArtifacts05": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "PublicRead",
"BucketName": "jenkins-secret-artifacts2",
"VersioningConfiguration": {
"Status": "Enabled"
},
"Tags": [
{
"Key": "CostCenter",
"Value": "ITEngineering"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket"
}
Negative test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Description": "Creating S3 bucket",
"Resources": {
"StaticPage03": {
"Type": "AWS::S3::Bucket",
"Properties": {
"Tags": [
{
"Key": "CostCenter",
"Value": "ITEngineering"
}
],
"AccessControl": "AuthenticatedRead",
"BucketName": "public-read-static-page",
"WebsiteConfiguration": {
"IndexDocument": "index.html",
"ErrorDocument": "404.html"
}
}
}
},
"Outputs": {
"WebsiteURL": {
"Value": {
"Fn::GetAtt": [
"StaticPage03",
"WebsiteURL"
]
},
"Description": "URL for website hosted on S3"
},
"S3BucketSecureURL": {
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"StaticPage03",
"DomainName"
]
}
]
]
},
"Description": "Name of S3 bucket to hold website content"
}
}
}