rspec/rules/S6270/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This policy allows all users, including anonymous ones, to access an S3 bucket:

[source,javascript]
----
import { aws_iam as iam } from 'aws-cdk-lib'
import { aws_s3 as s3 } from 'aws-cdk-lib'

const bucket = new s3.Bucket(this, "ExampleBucket")

bucket.addToResourcePolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["s3:*"],
    resources: [bucket.arnForObjects("*")],
    principals: [new iam.AnyPrincipal()] // Sensitive
}))

----

== Compliant Solution

This policy allows only the authorized users:

[source,javascript]
----
import { aws_iam as iam } from 'aws-cdk-lib'
import { aws_s3 as s3 } from 'aws-cdk-lib'

const bucket = new s3.Bucket(this, "ExampleBucket")

bucket.addToResourcePolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["s3:*"],
    resources: [bucket.arnForObjects("*")],
    principals: [new iam.AccountRootPrincipal()]
}))
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-172) (#1311) 2022-10-11 10:28:07 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`This policy allows all users, including anonymous ones, to access an S3 bucket:`

			`[source,javascript]`
			`----`
			`import { aws_iam as iam } from 'aws-cdk-lib'`
			`import { aws_s3 as s3 } from 'aws-cdk-lib'`

			`const bucket = new s3.Bucket(this, "ExampleBucket")`

			`bucket.addToResourcePolicy(new iam.PolicyStatement({`
			`effect: iam.Effect.ALLOW,`
			`actions: ["s3:*"],`
			`resources: [bucket.arnForObjects("*")],`
			`principals: [new iam.AnyPrincipal()] // Sensitive`
			`}))`

			`----`

			`== Compliant Solution`

			`This policy allows only the authorized users:`

			`[source,javascript]`
			`----`
			`import { aws_iam as iam } from 'aws-cdk-lib'`
			`import { aws_s3 as s3 } from 'aws-cdk-lib'`

			`const bucket = new s3.Bucket(this, "ExampleBucket")`

			`bucket.addToResourcePolicy(new iam.PolicyStatement({`
			`effect: iam.Effect.ALLOW,`
			`actions: ["s3:*"],`
			`resources: [bucket.arnForObjects("*")],`
			`principals: [new iam.AccountRootPrincipal()]`
			`}))`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-172) (#1311) 2022-10-11 10:28:07 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`