rspec/rules/S6270/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

This policy allows all users, including anonymous ones, to access an S3 bucket:

----
resource "aws_s3_bucket_policy" "mynoncompliantpolicy" {  # Sensitive
  bucket = aws_s3_bucket.mybucket.id
  policy = jsonencode({
    Id = "mynoncompliantpolicy"
    Version = "2012-10-17"
    Statement = [{
            Effect = "Allow"
            Principal = {
                AWS = "*" 
            }
            Action = [
                "s3:PutObject"
            ]
            Resource: "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
  })
}
----

== Compliant Solution

This policy allows only the authorized users:

[source,terraform]
----
resource "aws_s3_bucket_policy" "mycompliantpolicy" {
  bucket = aws_s3_bucket.mybucket.id
  policy = jsonencode({
    Id = "mycompliantpolicy"
    Version = "2012-10-17"
    Statement = [{
            Effect = "Allow"
            Principal = {
                AWS = [
                    "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
                ]
            }
            Action = [
                "s3:PutObject"
            ]
            Resource = "${aws_s3_bucket.mybucket.arn}/*"
        }
    ]
  })
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

Create rule S6270: Policies authorizing public access to resources are security-sensitive (APPSEC-154) (#1287) 2022-09-30 15:16:31 +02:00			`This policy allows all users, including anonymous ones, to access an S3 bucket:`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00
			`----`
			`resource "aws_s3_bucket_policy" "mynoncompliantpolicy" { # Sensitive`
			`bucket = aws_s3_bucket.mybucket.id`
update S6270 [terraform] to use jsonencode policy (#155) 2021-06-30 10:12:45 +02:00			`policy = jsonencode({`
Modify rule S6270 [terraform] to properly use jsonencode (#158) * Modify rule S6270 [terraform] to properly use jsonencode * remove incorrect comments 2021-06-30 13:38:51 +02:00			`Id = "mynoncompliantpolicy"`
			`Version = "2012-10-17"`
			`Statement = [{`
			`Effect = "Allow"`
			`Principal = {`
			`AWS = "*"`
			`}`
			`Action = [`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`"s3:PutObject"`
Modify rule S6270 [terraform] to properly use jsonencode (#158) * Modify rule S6270 [terraform] to properly use jsonencode * remove incorrect comments 2021-06-30 13:38:51 +02:00			`]`
			`Resource: "${aws_s3_bucket.mybucket.arn}/*"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`
			`]`
update S6270 [terraform] to use jsonencode policy (#155) 2021-06-30 10:12:45 +02:00			`})`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`
			`----`

			`== Compliant Solution`

			`This policy allows only the authorized users:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`----`
update S6270 [terraform] to use jsonencode policy (#155) 2021-06-30 10:12:45 +02:00			`resource "aws_s3_bucket_policy" "mycompliantpolicy" {`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`bucket = aws_s3_bucket.mybucket.id`
update S6270 [terraform] to use jsonencode policy (#155) 2021-06-30 10:12:45 +02:00			`policy = jsonencode({`
Modify rule S6270 [terraform] to properly use jsonencode (#158) * Modify rule S6270 [terraform] to properly use jsonencode * remove incorrect comments 2021-06-30 13:38:51 +02:00			`Id = "mycompliantpolicy"`
			`Version = "2012-10-17"`
			`Statement = [{`
			`Effect = "Allow"`
			`Principal = {`
			`AWS = [`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"`
			`]`
Modify rule S6270 [terraform] to properly use jsonencode (#158) * Modify rule S6270 [terraform] to properly use jsonencode * remove incorrect comments 2021-06-30 13:38:51 +02:00			`}`
			`Action = [`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`"s3:PutObject"`
Modify rule S6270 [terraform] to properly use jsonencode (#158) * Modify rule S6270 [terraform] to properly use jsonencode * remove incorrect comments 2021-06-30 13:38:51 +02:00			`]`
			`Resource = "${aws_s3_bucket.mybucket.arn}/*"`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`
			`]`
update S6270 [terraform] to use jsonencode policy (#155) 2021-06-30 10:12:45 +02:00			`})`
Add new IAAS-related rules 2021-05-21 18:34:30 +02:00			`}`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`