rspec/rules/S6249/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

No secure policy is attached to this bucket:

[source,python]
----
import aws_cdk.aws_s3 as s3
import aws_cdk.aws_iam as iam

bucket = s3.Bucket(self, "bucket") # Sensitive
----

A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:

[source,python]
----
bucket = s3.Bucket(self, "bucket")
bucket.add_to_resource_policy(iam.PolicyStatement(     # Sensitive
    effect=iam.Effect.DENY,
    resources=[bucket.bucket_arn],
    actions=["s3:SomeAction"],
    principals=[roles],
    conditions=[{"Bool": {"aws:SecureTransport": False}}]
    )
)
----

== Compliant Solution
A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny access to HTTP requests.

A secure policy that enforces SSL on requests (default: False):

[source,python]
----
bucket = S3.Bucket(self,
    "bucket",
    enforce_ssl=True
)

----
A secure policy that denies all HTTP requests is used:

[source,python]
----
bucket = s3.Bucket(self, "bucket")

result = bucket.add_to_resource_policy(iam.PolicyStatement(
    effect=iam.Effect.DENY,
    resources=["*"],
    actions=["s3:*"],
    principals=["*"],
    conditions=["SecureTransport:False"]
    )
)

----

include::../see.adoc[]

* https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Modify rule S6249: Add Python as covered language (#970) 2022-05-10 11:08:38 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`No secure policy is attached to this bucket:`

			`[source,python]`
			`----`
			`import aws_cdk.aws_s3 as s3`
			`import aws_cdk.aws_iam as iam`

			`bucket = s3.Bucket(self, "bucket") # Sensitive`
			`----`

			`A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:`

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self, "bucket")`
			`bucket.add_to_resource_policy(iam.PolicyStatement( # Sensitive`
			`effect=iam.Effect.DENY,`
			`resources=[bucket.bucket_arn],`
			`actions=["s3:SomeAction"],`
			`principals=[roles],`
			`conditions=[{"Bool": {"aws:SecureTransport": False}}]`
			`)`
			`)`
			`----`

			`== Compliant Solution`
			`A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny access to HTTP requests.`

			`A secure policy that enforces SSL on requests (default: False):`

			`[source,python]`
			`----`
			`bucket = S3.Bucket(self,`
			`"bucket",`
			`enforce_ssl=True`
			`)`

			`----`
			`A secure policy that denies all HTTP requests is used:`

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self, "bucket")`

			`result = bucket.add_to_resource_policy(iam.PolicyStatement(`
			`effect=iam.Effect.DENY,`
			`resources=["*"],`
			`actions=["s3:*"],`
			`principals=["*"],`
			`conditions=["SecureTransport:False"]`
			`)`
			`)`

			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Modify rule S6249: Add Python as covered language (#970) 2022-05-10 11:08:38 +02:00			`* https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer`
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`