55 lines
1.5 KiB
Plaintext
55 lines
1.5 KiB
Plaintext
|
include::description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
All users (ie: anyone in the world authenticated or not) have read and write permissions with the `PUBLIC_READ_WRITE` access control:
|
||
|
|
|
||
|
|
[source,python]
|
||
|
|
----
|
||
|
|
bucket = s3.Bucket(self, "bucket",
|
||
|
|
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE # Sensitive
|
||
|
|
)
|
||
|
|
|
||
|
|
s3deploy.BucketDeployment(self, "DeployWebsite",
|
||
|
|
access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE # Sensitive
|
||
|
|
)
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
With the `PRIVATE` access control (default), only the bucket owner has the read/write permissions on the buckets and its ACL.
|
||
|
|
|
||
|
|
[source,python]
|
||
|
|
----
|
||
|
|
bucket = s3.Bucket(self, "bucket",
|
||
|
|
access_control=s3.BucketAccessControl.PRIVATE # Compliant
|
||
|
|
)
|
||
|
|
|
||
|
|
# Another example
|
||
|
|
s3deploy.BucketDeployment(self, "DeployWebsite",
|
||
|
|
access_control=s3.BucketAccessControl.PRIVATE # Compliant
|
||
|
|
)
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|
||
|
|
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html[AWS CDK version 2] - Class Bucket (construct)
|
||
|
|
ifdef::env-github,rspecator-view[]
|
||
|
|
|
||
|
|
'''
|
||
|
|
== Implementation Specification
|
||
|
|
(visible only on this page)
|
||
|
|
|
||
|
|
=== Message
|
||
|
|
|
||
|
|
* Primary: Make sure granting [PUBLIC_READ|PUBLIC_READ_WRITE|AUTHENTICATED_READ] access is safe here.
|
||
|
|
* Secondary: Propagated setting.
|
||
|
|
|
||
|
|
* Primary: Make sure allowing unrestricted access to objects from this bucket is safe here.
|
||
|
|
* Secondary: Propagated setting.
|
||
|
|
|
||
|
|
endif::env-github,rspecator-view[]
|