rspec/rules/S6255/terraform/rule.adoc

When S3 buckets versioning is enabled it's possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.


== Ask Yourself Whether

* The S3 bucket stores sensitive information that is required to be preserved on the long term.
* The S3 bucket grants delete permission to many users.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It's recommended to enable S3 MFA delete, note that:

* MFA delete can only be enabled with the AWS CLI or API and with the root account.
* To delete an object version, the API should be used with the ``++x-amz-mfa++`` header.
* The API request, with the ``++x-amz-mfa++`` header, can only be used in HTTPS.


== Sensitive Code Example

A versioned S3 bucket doesn't have MFA delete enabled:

[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
  bucket = "example"

  versioning {
    enabled = true
  }
}
----


== Compliant Solution

MFA delete is enabled (https://github.com/hashicorp/terraform-provider-aws/issues/629[it's not possible to set this option] to a new S3 bucket with Terraform but the Terraform template can be updated that way it reflects the state):

[source,terraform]
----
resource "aws_s3_bucket" "example" { # Compliant 
  bucket = "example"

  versioning {
    enabled = true
    mfa_delete = true
  }
}
----

== See

* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete
* https://cwe.mitre.org/data/definitions/308[MITRE, CWE-308] - Use of Single-factor Authentication
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication 

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`When S3 buckets versioning is enabled it's possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.`


			`== Ask Yourself Whether`

			`* The S3 bucket stores sensitive information that is required to be preserved on the long term.`
			`* The S3 bucket grants delete permission to many users.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`It's recommended to enable S3 MFA delete, note that:`

			`* MFA delete can only be enabled with the AWS CLI or API and with the root account.`
			* To delete an object version, the API should be used with the ``++x-amz-mfa++`` header.
			* The API request, with the ``++x-amz-mfa++`` header, can only be used in HTTPS.


			`== Sensitive Code Example`

			`A versioned S3 bucket doesn't have MFA delete enabled:`

Modify rule S6255: Update issue message (#881) * Update message * Update code examples * Fix extra coma Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-16 09:54:32 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6255: Update issue message (#881) * Update message * Update code examples * Fix extra coma Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-16 09:54:32 +01:00			`resource "aws_s3_bucket" "example" { # Sensitive`
			`bucket = "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`versioning {`
			`enabled = true`
			`}`
			`}`
			`----`


			`== Compliant Solution`

			`MFA delete is enabled (https://github.com/hashicorp/terraform-provider-aws/issues/629[it's not possible to set this option] to a new S3 bucket with Terraform but the Terraform template can be updated that way it reflects the state):`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6255: Update issue message (#881) * Update message * Update code examples * Fix extra coma Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-16 09:54:32 +01:00			`resource "aws_s3_bucket" "example" { # Compliant`
			`bucket = "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`versioning {`
			`enabled = true`
			`mfa_delete = true`
			`}`
			`}`
			`----`

			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`* https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/308[MITRE, CWE-308] - Use of Single-factor Authentication`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`endif::env-github,rspecator-view[]`