S3 Bucket Policy Accepts HTTP Requests
- Query id: 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9
- Query name: S3 Bucket Policy Accepts HTTP Requests
- Platform: Terraform
- Severity: Medium
- Category: Encryption
- CWE: 319
- URL: Github
Description¶
S3 Bucket policy should not accept HTTP Requests
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "8.8.8.8/32"
}
}
}
]
}
EOF
}
Positive test num. 2 - tf file
resource "aws_s3_bucket" "b2" {
bucket = "my-tf-test-bucket"
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "8.8.8.8/32"
}
}
}
]
}
EOF
}
Positive test num. 3 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "8.8.8.8/32"
}
}
}
]
}
EOF
}
Positive test num. 4 - tf file
data "aws_iam_policy_document" "pos4" {
statement {
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:*",
]
resources = [
"arn:aws:s3:::a/*",
"arn:aws:s3:::a",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["true"]
}
}
}
resource "aws_s3_bucket" "pos4" {
bucket = "a"
policy = data.aws_iam_policy_document.pos4.json
}
Positive test num. 5 - tf file
data "aws_iam_policy_document" "pos5" {
statement {
effect = "Allow"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:*",
]
resources = [
"arn:aws:s3:::a/*",
"arn:aws:s3:::a",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}
resource "aws_s3_bucket" "pos5" {
bucket = "a"
policy = data.aws_iam_policy_document.pos5.json
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}
Negative test num. 2 - tf file
resource "aws_s3_bucket" "b2" {
bucket = "my-tf-test-bucket"
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}
Negative test num. 3 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.c.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}
Negative test num. 4 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
EOF
}
Negative test num. 5 - tf file
data "aws_iam_policy_document" "neg5" {
statement {
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:*",
]
resources = [
"arn:aws:s3:::a/*",
"arn:aws:s3:::a",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}
resource "aws_s3_bucket" "neg5" {
bucket = "a"
policy = data.aws_iam_policy_document.neg5.json
}
Negative test num. 6 - tf file
data "aws_iam_policy_document" "neg6" {
statement {
effect = "Allow"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:*",
]
resources = [
"arn:aws:s3:::a/*",
"arn:aws:s3:::a",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["true"]
}
}
}
resource "aws_s3_bucket" "neg6" {
bucket = "a"
policy = data.aws_iam_policy_document.neg6.json
}
Negative test num. 7 - tf file
resource "aws_s3_bucket" "negative7" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
data "aws_iam_policy_document" "policy" {
statement {
sid = "https"
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:*"
]
resources = [
aws_s3_bucket.negative7.arn,
"${aws_s3_bucket.negative7.arn}/*"
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
"false"
]
}
}
}
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = aws_s3_bucket.negative7.id
policy = data.aws_iam_policy_document.policy.json
}
Negative test num. 8 - tf file
locals {
support_site_bucket_name = "support-site-${var.stack}-${var.environment}${var.bucket_name_suffix}"
}
resource "aws_s3_bucket" "support_site_app_bucket" {
force_destroy = var.destroyable_env
bucket = local.support_site_bucket_name
}
resource "aws_cloudfront_origin_access_identity" "support_site_origin_access_identity" {}
data "aws_iam_policy_document" "support_site_bucket_policy_document" {
version = "2012-10-17"
statement {
sid = "DenyNonSecureTransport"
effect = "Deny"
actions = ["s3:*"]
resources = [
"arn:aws:s3:::${local.support_site_bucket_name}/*"
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
principals {
type = "AWS"
identifiers = ["*"]
}
}
statement {
sid = "AllowCloudFrontAccess"
effect = "Allow"
actions = ["s3:GetObject"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.support_site_origin_access_identity.iam_arn]
}
resources = [
"arn:aws:s3:::${local.support_site_bucket_name}/*"
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["true"]
}
}
}
resource "aws_s3_bucket_policy" "support_site_app_bucket_policy" {
depends_on = [aws_s3_bucket.support_site_app_bucket]
bucket = aws_s3_bucket.support_site_app_bucket.id
policy = data.aws_iam_policy_document.support_site_bucket_policy_document.json
}