rspec/rules/S6281/python/rule.adoc

include::description.adoc[]

include::../ask-yourself.adoc[]

include::recommended.adoc[]

== Sensitive Code Example

By default, when not set, the `block_public_access` is fully deactivated (nothing is blocked):

[source,python]
----
bucket = s3.Bucket(self,
    "bucket"        # Sensitive
)
----

This `block_public_access` allows public ACL to be set:

[source,python]
----
bucket = s3.Bucket(self,
    "bucket",
    block_public_access=s3.BlockPublicAccess(
        block_public_acls=False,       # Sensitive
        ignore_public_acls=True,
        block_public_policy=True,
        restrict_public_buckets=True
    )
)
----

The attribute `BLOCK_ACLS` only blocks and ignores public ACLs:

[source,python]
----
bucket = s3.Bucket(self,
    "bucket",
    block_public_access=s3.BlockPublicAccess.BLOCK_ACLS     # Sensitive
)
----

== Compliant Solution

This `block_public_access` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

[source,python]
----
bucket = s3.Bucket(self,
    "bucket",
    block_public_access=s3.BlockPublicAccess.BLOCK_ALL # Compliant
)
----

A similar configuration to the one above can obtained by setting all parameters of the `block_public_access`

[source,python]
----
bucket = s3.Bucket(self, "bucket",
    block_public_access=s3.BlockPublicAccess(       # Compliant
        block_public_acls=True,
        ignore_public_acls=True,
        block_public_policy=True,
        restrict_public_buckets=True
    )
)
----

include::../see.adoc[]
* https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_s3/Bucket.html[AWS CDK version 2] - Bucket
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

endif::env-github,rspecator-view[]
Modify rule S6281: Add Python as covered language (#973) 2022-05-10 11:00:24 +02:00			`include::description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::recommended.adoc[]`

			`== Sensitive Code Example`

			By default, when not set, the `block_public_access` is fully deactivated (nothing is blocked):

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self,`
			`"bucket" # Sensitive`
			`)`
			`----`

			This `block_public_access` allows public ACL to be set:

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self,`
			`"bucket",`
			`block_public_access=s3.BlockPublicAccess(`
			`block_public_acls=False, # Sensitive`
			`ignore_public_acls=True,`
			`block_public_policy=True,`
			`restrict_public_buckets=True`
			`)`
			`)`
			`----`

			The attribute `BLOCK_ACLS` only blocks and ignores public ACLs:

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self,`
			`"bucket",`
			`block_public_access=s3.BlockPublicAccess.BLOCK_ACLS # Sensitive`
			`)`
			`----`

			`== Compliant Solution`

			This `block_public_access` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self,`
			`"bucket",`
			`block_public_access=s3.BlockPublicAccess.BLOCK_ALL # Compliant`
			`)`
			`----`

			A similar configuration to the one above can obtained by setting all parameters of the `block_public_access`

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self, "bucket",`
			`block_public_access=s3.BlockPublicAccess( # Compliant`
			`block_public_acls=True,`
			`ignore_public_acls=True,`
			`block_public_policy=True,`
			`restrict_public_buckets=True`
			`)`
			`)`
			`----`

			`include::../see.adoc[]`
			`* https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_s3/Bucket.html[AWS CDK version 2] - Bucket`
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`