2021-05-21 18:34:30 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
By default, when not set, the ``++aws_s3_bucket_public_access_block++`` is fully deactivated (nothing is blocked):
|
|
|
|
|
|
2022-03-25 14:41:52 +01:00
|
|
|
[source,terraform]
|
2021-05-21 18:34:30 +02:00
|
|
|
----
|
2022-03-25 14:41:52 +01:00
|
|
|
resource "aws_s3_bucket" "example" { # Sensitive: no Public Access Block defined for this bucket
|
|
|
|
|
bucket = "example"
|
2021-05-21 18:34:30 +02:00
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
This ``++aws_s3_bucket_public_access_block++`` allows public ACL to be set:
|
|
|
|
|
|
2022-03-25 14:41:52 +01:00
|
|
|
[source,terraform]
|
2021-05-21 18:34:30 +02:00
|
|
|
----
|
2022-03-25 14:41:52 +01:00
|
|
|
resource "aws_s3_bucket" "example" { # Sensitive
|
|
|
|
|
bucket = "examplename"
|
2021-05-21 18:34:30 +02:00
|
|
|
}
|
|
|
|
|
|
2022-03-25 14:41:52 +01:00
|
|
|
resource "aws_s3_bucket_public_access_block" "example-public-access-block" {
|
|
|
|
|
bucket = aws_s3_bucket.example.id
|
2021-05-21 18:34:30 +02:00
|
|
|
|
|
|
|
|
block_public_acls = false # should be true
|
|
|
|
|
block_public_policy = true
|
|
|
|
|
ignore_public_acls = true
|
|
|
|
|
restrict_public_buckets = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
This ``++aws_s3_bucket_public_access_block++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,terraform]
|
2021-05-21 18:34:30 +02:00
|
|
|
----
|
2022-03-25 14:41:52 +01:00
|
|
|
resource "aws_s3_bucket" "example" {
|
|
|
|
|
bucket = "example"
|
2021-05-21 18:34:30 +02:00
|
|
|
}
|
|
|
|
|
|
2022-03-25 14:41:52 +01:00
|
|
|
resource "aws_s3_bucket_public_access_block" "example-public-access-block" {
|
|
|
|
|
bucket = aws_s3_bucket.example.id
|
2021-05-21 18:34:30 +02:00
|
|
|
|
|
|
|
|
block_public_acls = true
|
|
|
|
|
block_public_policy = true
|
|
|
|
|
ignore_public_acls = true
|
|
|
|
|
restrict_public_buckets = true
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
2021-09-20 15:38:42 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
* Primary locations
|
|
|
|
|
** Make sure allowing public ACL/policies to be set is safe here.
|
|
|
|
|
** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
|
|
|
|
|
* Secondary location
|
|
|
|
|
** Set this property to true
|
|
|
|
|
** Related bucket
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== Highlighting
|
|
|
|
|
|
|
|
|
|
* Primary locations
|
|
|
|
|
** aws_s3_bucket_public_access_block
|
|
|
|
|
** aws_s3_bucket resource
|
|
|
|
|
* Secondary location
|
|
|
|
|
** block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets properties set to false
|
|
|
|
|
** aws_s3_bucket resource
|
2022-03-25 14:41:52 +01:00
|
|
|
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
