rspec/rules/S6249/cloudformation/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

No secure policy is attached to this S3 bucket:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
----

A policy is defined but forces only HTTPs communication for some users:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties: 
      BucketName: "mynoncompliantbucket"

  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny 
            Principal:
              AWS: # Sensitive: only one principal is forced to use https
                - 'arn:aws:iam::123456789123:root' 
            Action: "*" 
            Resource: arn:aws:s3:::mynoncompliantbuckets6249/* 
            Condition:
              Bool:
                "aws:SecureTransport": false 
----

== Compliant Solution

A secure policy that denies the use of all HTTP requests:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Compliant
    Properties:
      BucketName: "mycompliantbucket"

  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: "mycompliantbucket"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny
            Principal:
              AWS: "*" # all principals should use https
            Action: "*" # for any actions
            Resource: arn:aws:s3:::mycompliantbucket/* # for any resources
            Condition:
              Bool:
                "aws:SecureTransport": false
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`No secure policy is attached to this S3 bucket:`

Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3Bucket:`
			`Type: 'AWS::S3::Bucket' # Sensitive`
			`----`
update sensitive code samples s6249 (#845) 2022-02-22 18:09:50 +01:00
			`A policy is defined but forces only HTTPs communication for some users:`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00
Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3Bucket:`
			`Type: 'AWS::S3::Bucket' # Sensitive`
			`Properties:`
Revert "Modify rule S6249: Update issue message (#879)" (#934) This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d. Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2022-04-06 14:44:06 +02:00			`BucketName: "mynoncompliantbucket"`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00
			`S3BucketPolicy:`
			`Type: 'AWS::S3::BucketPolicy'`
			`Properties:`
			`Bucket: !Ref S3Bucket`
			`PolicyDocument:`
			`Version: "2012-10-17"`
			`Statement:`
			`- Effect: Deny`
			`Principal:`
Revert "Modify rule S6249: Update issue message (#879)" (#934) This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d. Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2022-04-06 14:44:06 +02:00			`AWS: # Sensitive: only one principal is forced to use https`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`- 'arn:aws:iam::123456789123:root'`
			`Action: "*"`
Revert "Modify rule S6249: Update issue message (#879)" (#934) This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d. Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2022-04-06 14:44:06 +02:00			`Resource: arn:aws:s3:::mynoncompliantbuckets6249/*`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`Condition:`
			`Bool:`
			`"aws:SecureTransport": false`
			`----`

			`== Compliant Solution`

			`A secure policy that denies the use of all HTTP requests:`

Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3Bucket:`
			`Type: 'AWS::S3::Bucket' # Compliant`
			`Properties:`
Revert "Modify rule S6249: Update issue message (#879)" (#934) This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d. Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2022-04-06 14:44:06 +02:00			`BucketName: "mycompliantbucket"`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00
			`S3BucketPolicy:`
			`Type: 'AWS::S3::BucketPolicy'`
			`Properties:`
Revert "Modify rule S6249: Update issue message (#879)" (#934) This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d. Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2022-04-06 14:44:06 +02:00			`Bucket: "mycompliantbucket"`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`PolicyDocument:`
			`Version: "2012-10-17"`
			`Statement:`
			`- Effect: Deny`
			`Principal:`
			`AWS: "*" # all principals should use https`
			`Action: "*" # for any actions`
Revert "Modify rule S6249: Update issue message (#879)" (#934) This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d. Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2022-04-06 14:44:06 +02:00			`Resource: arn:aws:s3:::mycompliantbucket/* # for any resources`
Fixed nightly update: mark the closed rules 2021-05-21 17:48:13 +02:00			`Condition:`
			`Bool:`
			`"aws:SecureTransport": false`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`