rspec/rules/S6270/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This policy allows anonymous access:

----
resource "aws_s3_bucket_policy" "mynoncompliantpolicy" {  # Sensitive
  bucket = aws_s3_bucket.mybucket.id
  policy = <<POLICY
{
    "Id": "mycompliantpolicy",
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "AWS": "*" 
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
}
POLICY
}
----

== Compliant Solution

This policy allows only the authorized users:

----
resource "aws_s3_bucket_policy" "mycompliantpolicy" { # Compliant
  bucket = aws_s3_bucket.mybucket.id
  policy = <<POLICY
{
    "Id": "mycompliantpolicy",
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
                ]
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
}
POLICY
}
----

include::../see.adoc[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`This policy allows anonymous access:`

			`----`
			`resource "aws_s3_bucket_policy" "mynoncompliantpolicy" { # Sensitive`
			`bucket = aws_s3_bucket.mybucket.id`
			`policy = <<POLICY`
			`{`
			`"Id": "mycompliantpolicy",`
			`"Version": "2012-10-17",`
			`"Statement": [{`
			`"Effect": "Allow",`
			`"Principal": {`
			`"AWS": "*"`
			`},`
			`"Action": [`
			`"s3:PutObject"`
			`],`
			`"Resource": "${aws_s3_bucket.mybucket.arn}/*"`
			`}`
			`]`
			`}`
			`POLICY`
			`}`
			`----`

			`== Compliant Solution`

			`This policy allows only the authorized users:`

			`----`
			`resource "aws_s3_bucket_policy" "mycompliantpolicy" { # Compliant`
			`bucket = aws_s3_bucket.mybucket.id`
			`policy = <<POLICY`
			`{`
			`"Id": "mycompliantpolicy",`
			`"Version": "2012-10-17",`
			`"Statement": [{`
			`"Effect": "Allow",`
			`"Principal": {`
			`"AWS": [`
			`"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"`
			`]`
			`},`
			`"Action": [`
			`"s3:PutObject"`
			`],`
			`"Resource": "${aws_s3_bucket.mybucket.arn}/*"`
			`}`
			`]`
			`}`
			`POLICY`
			`}`
			`----`

			`include::../see.adoc[]`