rspec/rules/S6270/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This policy allows all users, including anonymous ones, to access an S3 bucket:

[source,python]
----
from aws_cdk.aws_iam import PolicyStatement, AnyPrincipal, Effect
from aws_cdk.aws_s3 import Bucket

bucket = Bucket(self, "ExampleBucket")
        
bucket.add_to_resource_policy(PolicyStatement(
  effect=Effect.ALLOW,
  actions=["s3:*"],
  resources=[bucket.arn_for_objects("*")],
  principals=[AnyPrincipal()] # Sensitive
))
----

== Compliant Solution

This policy allows only the authorized users:

[source,python]
----
from aws_cdk.aws_iam import PolicyStatement, AccountRootPrincipal, Effect
from aws_cdk.aws_s3 import Bucket

bucket = Bucket(self, "ExampleBucket")
        
bucket.add_to_resource_policy(PolicyStatement(
  effect=Effect.ALLOW,
  actions=["s3:*"],
  resources=[bucket.arn_for_objects("*")],
  principals=[AccountRootPrincipal()]
))
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-154) (#1287) 2022-09-30 15:16:31 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`This policy allows all users, including anonymous ones, to access an S3 bucket:`

			`[source,python]`
			`----`
			`from aws_cdk.aws_iam import PolicyStatement, AnyPrincipal, Effect`
			`from aws_cdk.aws_s3 import Bucket`

			`bucket = Bucket(self, "ExampleBucket")`

			`bucket.add_to_resource_policy(PolicyStatement(`
			`effect=Effect.ALLOW,`
			`actions=["s3:*"],`
			`resources=[bucket.arn_for_objects("*")],`
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-172) (#1311) 2022-10-11 10:28:07 +02:00			`principals=[AnyPrincipal()] # Sensitive`
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-154) (#1287) 2022-09-30 15:16:31 +02:00			`))`
			`----`

			`== Compliant Solution`

			`This policy allows only the authorized users:`

			`[source,python]`
			`----`
			`from aws_cdk.aws_iam import PolicyStatement, AccountRootPrincipal, Effect`
			`from aws_cdk.aws_s3 import Bucket`

			`bucket = Bucket(self, "ExampleBucket")`

			`bucket.add_to_resource_policy(PolicyStatement(`
			`effect=Effect.ALLOW,`
			`actions=["s3:*"],`
			`resources=[bucket.arn_for_objects("*")],`
			`principals=[AccountRootPrincipal()]`
			`))`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-154) (#1287) 2022-09-30 15:16:31 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-172) (#1311) 2022-10-11 10:28:07 +02:00			`include::../highlighting.adoc[]`
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-154) (#1287) 2022-09-30 15:16:31 +02:00
			`endif::env-github,rspecator-view[]`