rspec/rules/S6255/terraform/rule.adoc

When S3 buckets versioning is enabled it's possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.


== Ask Yourself Whether

* The S3 bucket stores sensitive information that is required to be preserved on the long term.
* The S3 bucket grants delete permission to many users.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It's recommended to enable S3 MFA delete, note that:

* MFA delete can only be enabled with the AWS CLI or API and with the root account.
* To delete an object version, the API should be used with the ``++x-amz-mfa++`` header.
* The API request, with the ``++x-amz-mfa++`` header, can only be used in HTTPS.


== Sensitive Code Example

A versioned S3 bucket does not have MFA delete enabled for AWS provider version 3 or below:

[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
  bucket = "example"

  versioning {
    enabled = true
  }
}
----

A versioned S3 bucket does not have MFA delete enabled for AWS provider version 4 or above:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example" { # Sensitive
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
  }
}
----

== Compliant Solution

MFA delete is enabled for AWS provider version 3 or below:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"

  versioning {
    enabled = true
    mfa_delete = true
  }
}
----

MFA delete is enabled for AWS provider version 4 or above:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
    mfa_delete = "Enabled"
  }
  mfa = "${var.MFA}"
}
----

== See

* https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete
* CWE - https://cwe.mitre.org/data/definitions/308[CWE-308 - Use of Single-factor Authentication]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure allowing object deletion without MFA is safe here.


endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`When S3 buckets versioning is enabled it's possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.`


			`== Ask Yourself Whether`

			`* The S3 bucket stores sensitive information that is required to be preserved on the long term.`
			`* The S3 bucket grants delete permission to many users.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`It's recommended to enable S3 MFA delete, note that:`

			`* MFA delete can only be enabled with the AWS CLI or API and with the root account.`
			* To delete an object version, the API should be used with the ``++x-amz-mfa++`` header.
			* The API request, with the ``++x-amz-mfa++`` header, can only be used in HTTPS.


			`== Sensitive Code Example`

Modify rule S6255: Add new Terraform code sample (#1379) 2022-11-07 11:39:15 +01:00			`A versioned S3 bucket does not have MFA delete enabled for AWS provider version 3 or below:`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
Modify rule S6255: Update issue message (#881) * Update message * Update code examples * Fix extra coma Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-16 09:54:32 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6255: Update issue message (#881) * Update message * Update code examples * Fix extra coma Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-16 09:54:32 +01:00			`resource "aws_s3_bucket" "example" { # Sensitive`
			`bucket = "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`versioning {`
			`enabled = true`
			`}`
			`}`
			`----`

Modify rule S6255: Add new Terraform code sample (#1379) 2022-11-07 11:39:15 +01:00			`A versioned S3 bucket does not have MFA delete enabled for AWS provider version 4 or above:`

			`[source,terraform]`
			`----`
			`resource "aws_s3_bucket" "example" {`
			`bucket = "example"`
			`}`

			`resource "aws_s3_bucket_versioning" "example" { # Sensitive`
			`bucket = aws_s3_bucket.example.id`
			`versioning_configuration {`
			`status = "Enabled"`
			`}`
			`}`
			`----`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`== Compliant Solution`

Modify rule S6255: Add new Terraform code sample (#1379) 2022-11-07 11:39:15 +01:00			`MFA delete is enabled for AWS provider version 3 or below:`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
Modify rule S6255: Add new Terraform code sample (#1379) 2022-11-07 11:39:15 +01:00			`resource "aws_s3_bucket" "example" {`
Modify rule S6255: Update issue message (#881) * Update message * Update code examples * Fix extra coma Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> 2022-03-16 09:54:32 +01:00			`bucket = "example"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`versioning {`
			`enabled = true`
			`mfa_delete = true`
			`}`
			`}`
			`----`

Modify rule S6255: Add new Terraform code sample (#1379) 2022-11-07 11:39:15 +01:00			`MFA delete is enabled for AWS provider version 4 or above:`

			`[source,terraform]`
			`----`
			`resource "aws_s3_bucket" "example" {`
			`bucket = "example"`
			`}`

			`resource "aws_s3_bucket_versioning" "example" {`
			`bucket = aws_s3_bucket.example.id`
			`versioning_configuration {`
			`status = "Enabled"`
			`mfa_delete = "Enabled"`
			`}`
			`mfa = "${var.MFA}"`
			`}`
			`----`

Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`== See`

			`* https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete`
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/308[CWE-308 - Use of Single-factor Authentication]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure allowing object deletion without MFA is safe here.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`endif::env-github,rspecator-view[]`