S3 bucket notifications disabled
- Query id: e39f87f5-0abf-488b-864c-63ee1f588140
- Query name: S3 bucket notifications disabled
- Platform: Terraform
- Severity: Low
- Category: Observability
- CWE: 778
- Risk score: 1.0
- URL: Github
Description¶
S3 bucket notifications provide alerts triggered when certain operations are performed, which might be a helpful indicator for detecting unintended operations that might compromise your infrastructure or even malicious activity.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_sns_topic" "topic1" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
resource "aws_sns_topic" "topic2" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
topic {
topic_arn = aws_sns_topic.topic1.arn
events = ["s3:ObjectCreated:*"]
filter_suffix = ".log"
}
topic {
topic_arn = aws_sns_topic.topic1.arn
events = ["s3:ObjectCreated:Post"]
filter_suffix = ".log"
}
}
Positive test num. 2 - tf file
resource "aws_sns_topic" "topic1" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
Positive test num. 3 - tf file
resource "aws_sqs_queue" "queue" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
resource "aws_sqs_queue" "queue1" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
resource "aws_sqs_queue" "queue2" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
queue {
queue_arn = aws_sqs_queue.queue1.arn
events = ["s3:ObjectCreated:Post"]
filter_prefix = "images/"
}
queue {
queue_arn = aws_sqs_queue.queue1.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "videos/"
}
}
Positive test num. 6 - tf file
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_lambda_function" "func1" {
filename = "your-function1.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_lambda_function" "func2" {
filename = "your-function2.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
lambda_function {
lambda_function_arn = aws_lambda_function.func1.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"
}
lambda_function {
lambda_function_arn = aws_lambda_function.func1.arn
events = ["s3:ObjectCreated:Post"]
filter_prefix = "OtherLogs/"
filter_suffix = ".json"
}
}
Positive test num. 7 - tf file
resource "aws_sns_topic" "topic" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
topic {
topic_arn = aws_sns_topic.different_topic.arn
events = ["s3:ObjectCreated:*"]
filter_suffix = ".log"
}
}
Positive test num. 8 - tf file
resource "aws_sqs_queue" "queue" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
queue {
queue_arn = aws_sqs_queue.different_queue.arn
events = ["s3:ObjectCreated:*"]
filter_suffix = ".log"
}
}
Positive test num. 9 - tf file
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_lambda_function" "func" {
filename = "your-function.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
lambda_function {
lambda_function_arn = aws_lambda_function.different_function.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"
}
}
Positive test num. 10 - tf file
Positive test num. 11 - tf file
Positive test num. 12 - tf file
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_lambda_function" "func" {
filename = "your-function.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_sns_topic" "topic" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
topic {
topic_arn = aws_sns_topic.topic.arn
events = ["s3:ObjectCreated:*"]
filter_suffix = ".log"
}
}
Negative test num. 2 - tf file
resource "aws_sqs_queue" "queue" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
queue {
queue_arn = aws_sqs_queue.queue.arn
events = ["s3:ObjectCreated:*"]
filter_suffix = ".log"
}
}
Negative test num. 3 - tf file
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_lambda_function" "func" {
filename = "your-function.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
lambda_function {
lambda_function_arn = aws_lambda_function.func.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"
}
}
Negative test num. 4 - tf file
resource "aws_sns_topic" "topic1" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
resource "aws_sns_topic" "topic2" {
name = "s3-event-notification-topic"
policy = data.aws_iam_policy_document.topic.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
topic {
topic_arn = aws_sns_topic.topic1.arn
events = ["s3:ObjectCreated:*"]
filter_suffix = ".log"
}
topic {
topic_arn = aws_sns_topic.topic2.arn
events = ["s3:ObjectCreated:Post"]
filter_suffix = ".log"
}
}
Negative test num. 5 - tf file
resource "aws_sqs_queue" "queue1" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
resource "aws_sqs_queue" "queue2" {
name = "s3-event-notification-queue"
policy = data.aws_iam_policy_document.queue.json
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
queue {
queue_arn = aws_sqs_queue.queue1.arn
events = ["s3:ObjectCreated:Post"]
filter_prefix = "images/"
}
queue {
queue_arn = aws_sqs_queue.queue2.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "videos/"
}
}
Negative test num. 6 - tf file
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_lambda_function" "func1" {
filename = "your-function1.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_lambda_function" "func2" {
filename = "your-function2.zip"
function_name = "example_lambda_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.example"
runtime = "nodejs20.x"
}
resource "aws_s3_bucket" "bucket" {
bucket = "your-bucket-name"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
lambda_function {
lambda_function_arn = aws_lambda_function.func1.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "AWSLogs/"
filter_suffix = ".log"
}
lambda_function {
lambda_function_arn = aws_lambda_function.func2.arn
events = ["s3:ObjectCreated:Post"]
filter_prefix = "OtherLogs/"
filter_suffix = ".json"
}
}