S3 Bucket Allows Public Policy

• Query id: 1a4bc881-9f69-4d44-8c9a-d37d08f54c50
• Query name: S3 Bucket Allows Public Policy
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• CWE: 284
• Risk score: 7.2
• URL: Github

Description

S3 bucket allows public policy
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

// account is defined, and does NOT explicit
// set `block_public_policy` to `true`
resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
}

// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Positive test num. 2 - tf file

resource "aws_s3_account_public_access_block" "allow_public_acc" {
}

Positive test num. 3 - tf file

// account is defined, and does NOT explicit
// set `block_public_policy` to `true`
resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
  block_public_policy = false
}

// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Positive test num. 4 - tf file

resource "aws_s3_account_public_access_block" "allow_public_acc" {
  // insecure - account resource block is defined, block_public_access is not set 
}

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket                  = aws_s3_bucket.public_bucket.id
  /* insecure - bucket resource block is defined, block_public_access is not set */
}

Positive test num. 5 - tf file

resource "aws_s3_account_public_access_block" "allow_public_acc" {
  block_public_policy = false /* insecure - explicitly unsafe value */
}

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket                  = aws_s3_bucket.public_bucket.id
  /* insecure - bucket resource block is defined, block_public_access is not set */
}

Positive test num. 6 - tf file

resource "aws_s3_account_public_access_block" "allow_public_acc" {
  // insecure - account resource block is defined, block_public_access is not set 
}

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket              = aws_s3_bucket.public_bucket.id
  block_public_policy = false /* insecure - explicitly unsafe value */
}

Positive test num. 7 - tf file

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket                  = aws_s3_bucket.public_bucket.id
}

Positive test num. 8 - tf file

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket                  = aws_s3_bucket.public_bucket.id
  block_public_policy     = false
}

Positive test num. 9 - tf file

resource "aws_s3_account_public_access_block" "allow_public_acc" {
  block_public_policy = false /* insecure - explicitly unsafe value */
}

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket              = aws_s3_bucket.public_bucket.id
  block_public_policy = false /* insecure - explicitly unsafe value */
}

Positive test num. 10 - tf file

resource "aws_s3_account_public_access_block" "allow_public_acc" {
  block_public_policy = false /* insecure - explicitly unsafe value */
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

// account is defined, and explicit
// set `block_public_policy` to `true`
resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
  block_public_policy = true
}

// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Negative test num. 2 - tf file

resource "aws_s3_bucket" "public_bucket" {
  bucket = "test-bucket-public-policy"
}

Negative test num. 3 - tf file

resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
  block_public_policy = false
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = true
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Negative test num. 4 - tf file

resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
}

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = true
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Negative test num. 5 - tf file

resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = true
  ignore_public_acls  = false
  restrict_public_buckets = false
}