S3 Bucket Access to Any Principal
- Query id: 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085
- Query name: S3 Bucket Access to Any Principal
- Platform: CloudFormation
- Severity: Critical
- Category: Access Control
- URL: Github
Description¶
The S3 Bucket should not be associated with a policy statement that grants access to any principal
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: true
RestrictPublicBuckets: false
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- "*"
Action: s3:GetObject
Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/*
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Bucket2:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: true
BucketPolicy2:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket2
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- "*"
Action: s3:GetObject
Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/*
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Positive test num. 2 - json file
{
"Resources": {
"Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": false
}
}
},
"BucketPolicy": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
},
"Bucket": "Bucket"
},
"Type": "AWS::S3::BucketPolicy"
},
"Bucket2": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": true
}
}
},
"BucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "Bucket2",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::111122223333:user/Alice
- arn:aws:iam::111122223333:user/foo
Action: s3:GetObject
Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/*
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Negative test num. 2 - json file
{
"Resources": {
"Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
}
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/Alice",
"arn:aws:iam::111122223333:user/foo"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
}
]
},
"Bucket": "Bucket"
}
}
}
}