S3 Bucket Allows Public Policy

  • Query id: 1a4bc881-9f69-4d44-8c9a-d37d08f54c50
  • Query name: S3 Bucket Allows Public Policy
  • Platform: Terraform
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

S3 bucket allows public policy
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
// account is defined, and does NOT explicit
// set `block_public_policy` to `true`
resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
}

// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}
Positive test num. 2 - tf file
// account is defined, and does NOT explicit
// set `block_public_policy` to `true`
resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
  block_public_policy = false
}

// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
// account is defined, and explicit
// set `block_public_policy` to `true`
resource "aws_s3_account_public_access_block" "allow_public" {
  account_id      = 250924516109
  block_public_policy = true
}

// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}
Negative test num. 2 - tf file
// `aws_s3_account_public_access_block` is NOT defined
// bucket resource is defined and sets `block_public_policy` to `false`
resource "aws_s3_bucket_public_access_block" "allow_public" {
  bucket = aws_s3_bucket.public_bucket.id
  block_public_acls   = false
  block_public_policy = false
  ignore_public_acls  = false
  restrict_public_buckets = false
}