rspec/rules/S6265/python/rule.adoc

Predefined permissions, also known as https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl[canned ACLs], are an easy way to grant large privileges to predefined groups or users.

The following canned ACLs are security-sensitive:

* `PUBLIC_READ`, `PUBLIC_READ_WRITE` grant respectively "read" and "read and write" privileges to everyone in the world (`AllUsers` group).
* `AUTHENTICATED_READ` grants "read" privilege to all authenticated users (`AuthenticatedUsers` group).


include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

It's recommended to implement the least privilege policy, i.e., to grant necessary permissions only to users for their required tasks. In the context of canned ACL, set it to `PRIVATE` (the default one), and if needed more granularity then use an appropriate S3 policy.


== Sensitive Code Example

All users (ie: anyone in the world authenticated or not) have read and write permissions with the `PUBLIC_READ_WRITE` access control:

[source,python]
----
bucket = s3.Bucket(self, "bucket",
    access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE     # Sensitive
)

s3deploy.BucketDeployment(self, "DeployWebsite",
    access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE     # Sensitive
)
----

== Compliant Solution

With the `PRIVATE` access control (default), only the bucket owner has the read/write permissions on the buckets and its ACL.

[source,python]
----
bucket = s3.Bucket(self, "bucket",
    access_control=s3.BucketAccessControl.PRIVATE       # Compliant
)

# Another example
s3deploy.BucketDeployment(self, "DeployWebsite",
    access_control=s3.BucketAccessControl.PRIVATE       # Compliant
)
----

include::../see.adoc[]

* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html[AWS CDK version 2] - Class Bucket (construct)
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* Primary: Make sure granting [PUBLIC_READ|PUBLIC_READ_WRITE|AUTHENTICATED_READ] access is safe here.
* Secondary: Propagated setting.

* Primary: Make sure allowing unrestricted access to objects from this bucket is safe here.
* Secondary: Propagated setting.

endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Predefined permissions, also known as https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl[canned ACLs], are an easy way to grant large privileges to predefined groups or users.`

			`The following canned ACLs are security-sensitive:`

			* `PUBLIC_READ`, `PUBLIC_READ_WRITE` grant respectively "read" and "read and write" privileges to everyone in the world (`AllUsers` group).
			* `AUTHENTICATED_READ` grants "read" privilege to all authenticated users (`AuthenticatedUsers` group).

Modify rule S6265: Add Python as covered language (#969) 2022-05-10 11:09:02 +02:00
			`include::../ask-yourself.adoc[]`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== Recommended Secure Coding Practices`

			It's recommended to implement the least privilege policy, i.e., to grant necessary permissions only to users for their required tasks. In the context of canned ACL, set it to `PRIVATE` (the default one), and if needed more granularity then use an appropriate S3 policy.

Modify rule S6265: Add Python as covered language (#969) 2022-05-10 11:09:02 +02:00
			`== Sensitive Code Example`

			All users (ie: anyone in the world authenticated or not) have read and write permissions with the `PUBLIC_READ_WRITE` access control:

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self, "bucket",`
			`access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE # Sensitive`
			`)`

			`s3deploy.BucketDeployment(self, "DeployWebsite",`
			`access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE # Sensitive`
			`)`
			`----`

			`== Compliant Solution`

			With the `PRIVATE` access control (default), only the bucket owner has the read/write permissions on the buckets and its ACL.

			`[source,python]`
			`----`
			`bucket = s3.Bucket(self, "bucket",`
			`access_control=s3.BucketAccessControl.PRIVATE # Compliant`
			`)`

			`# Another example`
			`s3deploy.BucketDeployment(self, "DeployWebsite",`
			`access_control=s3.BucketAccessControl.PRIVATE # Compliant`
			`)`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Modify rule S6265: Add Python as covered language (#969) 2022-05-10 11:09:02 +02:00			`* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html[AWS CDK version 2] - Class Bucket (construct)`
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`* Primary: Make sure granting [PUBLIC_READ\|PUBLIC_READ_WRITE\|AUTHENTICATED_READ] access is safe here.`
			`* Secondary: Propagated setting.`

			`* Primary: Make sure allowing unrestricted access to objects from this bucket is safe here.`
			`* Secondary: Propagated setting.`

			`endif::env-github,rspecator-view[]`