55 lines
1.4 KiB
Plaintext
55 lines
1.4 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
By default, when not set, the ``++aws_s3_bucket_public_access_block++`` is fully deactivated (nothing is blocked):
|
||
|
|
|
||
|
|
----
|
||
|
|
resource "aws_s3_bucket" "mynoncompliantfirstbucket" { # sensitive: by default it's unsafe
|
||
|
|
bucket = "mynoncompliantfirstbucketname"
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
This ``++aws_s3_bucket_public_access_block++`` allows public ACL to be set:
|
||
|
|
|
||
|
|
----
|
||
|
|
resource "aws_s3_bucket" "mynoncompliantsecondbucket" { # sensitive (s6281)
|
||
|
|
bucket = "mynoncompliantsecondbucketname"
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "aws_s3_bucket_public_access_block" "mynoncompliantspublicaccess" {
|
||
|
|
bucket = aws_s3_bucket.mynoncompliantsecondbucket.id
|
||
|
|
|
||
|
|
block_public_acls = false # should be true
|
||
|
|
block_public_policy = true
|
||
|
|
ignore_public_acls = true
|
||
|
|
restrict_public_buckets = true
|
||
|
|
}
|
||
|
|
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
This ``++aws_s3_bucket_public_access_block++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
|
||
|
|
|
||
|
|
----
|
||
|
|
resource "aws_s3_bucket" "mycompliantbucket" {
|
||
|
|
bucket = "mycompliantbucketname"
|
||
|
|
}
|
||
|
|
|
||
|
|
resource "aws_s3_bucket_public_access_block" "mycompliantpublicaccess" {
|
||
|
|
bucket = aws_s3_bucket.mycompliantbucket.id
|
||
|
|
|
||
|
|
block_public_acls = true
|
||
|
|
block_public_policy = true
|
||
|
|
ignore_public_acls = true
|
||
|
|
restrict_public_buckets = true
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|