rspec/rules/S6270/cloudformation/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This policy allows all users, including anonymous ones, to access an S3 bucket:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy' # Sensitive
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "*" # all principals / anonymous access
            Action: "s3:PutObject" # can put object
            Resource: arn:aws:s3:::mybucket/* 
----

== Compliant Solution

This policy allows only the authorized users:

[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy' # Compliant
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: 
                - !Sub 'arn:aws:iam::${AWS::AccountId}:root' # only this principal
            Action: "s3:PutObject" # can put object
            Resource: arn:aws:s3:::mybucket/* 
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-154) (#1287) 2022-09-30 15:16:31 +02:00			`This policy allows all users, including anonymous ones, to access an S3 bucket:`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3BucketPolicy:`
			`Type: 'AWS::S3::BucketPolicy' # Sensitive`
			`Properties:`
			`Bucket: !Ref S3Bucket`
			`PolicyDocument:`
			`Version: "2012-10-17"`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`AWS: "*" # all principals / anonymous access`
			`Action: "s3:PutObject" # can put object`
			`Resource: arn:aws:s3:::mybucket/*`
			`----`

			`== Compliant Solution`

			`This policy allows only the authorized users:`

Add bicep and json for language support in code example (#1830) 2023-05-05 11:12:16 +02:00			`[source,yaml]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
			`AWSTemplateFormatVersion: 2010-09-09`
			`Resources:`
			`S3BucketPolicy:`
			`Type: 'AWS::S3::BucketPolicy' # Compliant`
			`Properties:`
			`Bucket: !Ref S3Bucket`
			`PolicyDocument:`
			`Version: "2012-10-17"`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`AWS:`
			`- !Sub 'arn:aws:iam::${AWS::AccountId}:root' # only this principal`
			`Action: "s3:PutObject" # can put object`
			`Resource: arn:aws:s3:::mybucket/*`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`