S3 Bucket Access to Any Principal
- Query id: 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085
- Query name: S3 Bucket Access to Any Principal
- Platform: CloudFormation
- Severity: Critical
- Category: Access Control
- CWE: 284
- Risk score: 8.8
- URL: Github
Description¶
The S3 Bucket should not be associated with a policy statement that grants access to any principal
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: true
RestrictPublicBuckets: false
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- "*"
Action: s3:GetObject
Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/*
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Bucket2:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: true
BucketPolicy2:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket2
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- "*"
Action: s3:GetObject
Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/*
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Positive test num. 2 - json file
{
"Resources": {
"Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": false
}
}
},
"BucketPolicy": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
},
"Bucket": "Bucket"
},
"Type": "AWS::S3::BucketPolicy"
},
"Bucket2": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": true
}
}
},
"BucketPolicy2": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": "Bucket2",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
}
}
}
}
}
Positive test num. 3 - yaml file
Resources:
SWBS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: Private
BucketName: !Ref S3BucketName
LifecycleConfiguration:
Rules:
- Id: Rule to delete object versions in S3 bucket after 1 day
Status: Enabled
NoncurrentVersionExpirationInDays: 1
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID:
Fn::ImportValue: !Sub "${CoreSWBStackName}-kms-key-arn"
SSEAlgorithm: 'aws:kms'
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref SWBS3Bucket
PolicyDocument:
Statement:
- !If
- IsGLZReplicationEnabled
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DestinationS3BucketAccountId}:root"
Action:
- 's3:ReplicateDelete'
- 's3:ReplicateObject'
- 's3:ObjectOwnerOverrideToBucketOwner'
Resource:
- !Join [ '',[ 'arn:aws:s3:::', !Ref S3BucketName, '/*' ] ]
- !Ref 'AWS::NoValue'
- !If
- IsGLZReplicationEnabled
- Effect: Allow
Principal: '*'
Action:
- 's3:List*'
- 's3:GetBucketVersioning'
- 's3:PutBucketVersioning'
Resource:
- !Join [ '',[ 'arn:aws:s3:::', !Ref S3BucketName ] ]
- !Ref 'AWS::NoValue'
- Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !GetAtt 'SWBS3Bucket.Arn'
- !Sub '${SWBS3Bucket.Arn}/*'
Condition:
Bool:
'aws:SecureTransport': false
- Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !GetAtt 'SWBS3Bucket.Arn'
- !Sub '${SWBS3Bucket.Arn}/*'
Condition:
NumericLessThan:
's3:TlsVersion': '1.2'
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- arn:aws:iam::111122223333:user/Alice
- arn:aws:iam::111122223333:user/foo
Action: s3:GetObject
Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/*
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Negative test num. 2 - json file
{
"Resources": {
"Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
}
},
"BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/Alice",
"arn:aws:iam::111122223333:user/foo"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
}
]
},
"Bucket": "Bucket"
}
}
}
}
Negative test num. 3 - yaml file
Resources:
SWBS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: Private
BucketName: !Ref S3BucketName
LifecycleConfiguration:
Rules:
- Id: Rule to delete object versions in S3 bucket after 1 day
Status: Enabled
NoncurrentVersionExpirationInDays: 1
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID:
Fn::ImportValue: !Sub "${CoreSWBStackName}-kms-key-arn"
SSEAlgorithm: 'aws:kms'
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref SWBS3Bucket
PolicyDocument:
Statement:
- !If
- IsGLZReplicationEnabled
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DestinationS3BucketAccountId}:root"
Action:
- 's3:ReplicateDelete'
- 's3:ReplicateObject'
- 's3:ObjectOwnerOverrideToBucketOwner'
Resource:
- !Join [ '',[ 'arn:aws:s3:::', !Ref S3BucketName, '/*' ] ]
- !Ref 'AWS::NoValue'
- !If
- IsGLZReplicationEnabled
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DestinationS3BucketAccountId}:root"
Action:
- 's3:List*'
- 's3:GetBucketVersioning'
- 's3:PutBucketVersioning'
Resource:
- !Join [ '',[ 'arn:aws:s3:::', !Ref S3BucketName ] ]
- !Ref 'AWS::NoValue'
- Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !GetAtt 'SWBS3Bucket.Arn'
- !Sub '${SWBS3Bucket.Arn}/*'
Condition:
Bool:
'aws:SecureTransport': false
- Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !GetAtt 'SWBS3Bucket.Arn'
- !Sub '${SWBS3Bucket.Arn}/*'
Condition:
NumericLessThan:
's3:TlsVersion': '1.2'