rspec/rules/S6281/cloudformation/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

By default, when not set, the ``++PublicAccessBlockConfiguration++`` is fully deactivated (nothing is blocked):

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucketdefault:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties:
      BucketName: "example"  
----

This ``++PublicAccessBlockConfiguration++`` allows public ACL to be set:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Sensitive
    Properties:
      BucketName: "example"  
      PublicAccessBlockConfiguration:
        BlockPublicAcls: false # should be true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
----

== Compliant Solution

This ``++PublicAccessBlockConfiguration++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket' # Compliant
    Properties:
      BucketName: "example" 
      PublicAccessBlockConfiguration: 
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Primary locations
** Make sure allowing public ACL/policies to be set is safe here.
** Omitting "PublicAccessBlockConfiguration" allows public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
* Secondary location
** Set this property to true


=== Highlighting

* Primary locations
** PublicAccessBlockConfiguration property
** AWS::S3::Bucket resource
* Secondary location
** BlockPublicAcls / BlockPublicPolicy / IgnorePublicAcls / RestrictPublicBuckets properties set to false


endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			By default, when not set, the ``++PublicAccessBlockConfiguration++`` is fully deactivated (nothing is blocked):

Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3Bucketdefault:`
			`Type: 'AWS::S3::Bucket' # Sensitive`
			`Properties:`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`BucketName: "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`

			This ``++PublicAccessBlockConfiguration++`` allows public ACL to be set:

Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3Bucket:`
			`Type: 'AWS::S3::Bucket' # Sensitive`
			`Properties:`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`BucketName: "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`PublicAccessBlockConfiguration:`
			`BlockPublicAcls: false # should be true`
			`BlockPublicPolicy: true`
			`IgnorePublicAcls: true`
			`RestrictPublicBuckets: true`
			`----`

			`== Compliant Solution`

			This ``++PublicAccessBlockConfiguration++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3Bucket:`
			`Type: 'AWS::S3::Bucket' # Compliant`
			`Properties:`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00			`BucketName: "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`PublicAccessBlockConfiguration:`
			`BlockPublicAcls: true`
			`BlockPublicPolicy: true`
			`IgnorePublicAcls: true`
			`RestrictPublicBuckets: true`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`* Primary locations`
			`** Make sure allowing public ACL/policies to be set is safe here.`
			`** Omitting "PublicAccessBlockConfiguration" allows public ACL/policies to be set on this S3 bucket. Make sure it is safe here.`
			`* Secondary location`
			`** Set this property to true`


			`=== Highlighting`

			`* Primary locations`
			`** PublicAccessBlockConfiguration property`
			`** AWS::S3::Bucket resource`
			`* Secondary location`
			`** BlockPublicAcls / BlockPublicPolicy / IgnorePublicAcls / RestrictPublicBuckets properties set to false`
Modify rule S6281: Update issue messages (#884) * Add messages and highlighting * Update code examples Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-25 14:41:52 +01:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`endif::env-github,rspecator-view[]`