Modify rule S6249: Add Python as covered language (#970)
This commit is contained in:
marco-bearzi-sonarsource
GitHub
parent
cdff544c36
commit
2ac4200691
3
rules/S6249/python/metadata.json
Normal file
3
rules/S6249/python/metadata.json
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
|
||||
}
|
||||
74
rules/S6249/python/rule.adoc
Normal file
74
rules/S6249/python/rule.adoc
Normal file
@ -0,0 +1,74 @@
|
||||
include::../description.adoc[]
|
||||
|
||||
include::../ask-yourself.adoc[]
|
||||
|
||||
include::../recommended.adoc[]
|
||||
|
||||
== Sensitive Code Example
|
||||
|
||||
No secure policy is attached to this bucket:
|
||||
|
||||
[source,python]
|
||||
----
|
||||
import aws_cdk.aws_s3 as s3
|
||||
import aws_cdk.aws_iam as iam
|
||||
|
||||
bucket = s3.Bucket(self, "bucket") # Sensitive
|
||||
----
|
||||
|
||||
A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:
|
||||
|
||||
[source,python]
|
||||
----
|
||||
bucket = s3.Bucket(self, "bucket")
|
||||
bucket.add_to_resource_policy(iam.PolicyStatement( # Sensitive
|
||||
effect=iam.Effect.DENY,
|
||||
resources=[bucket.bucket_arn],
|
||||
actions=["s3:SomeAction"],
|
||||
principals=[roles],
|
||||
conditions=[{"Bool": {"aws:SecureTransport": False}}]
|
||||
)
|
||||
)
|
||||
----
|
||||
|
||||
== Compliant Solution
|
||||
A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny access to HTTP requests.
|
||||
|
||||
A secure policy that enforces SSL on requests (default: False):
|
||||
|
||||
[source,python]
|
||||
----
|
||||
bucket = S3.Bucket(self,
|
||||
"bucket",
|
||||
enforce_ssl=True
|
||||
)
|
||||
|
||||
----
|
||||
A secure policy that denies all HTTP requests is used:
|
||||
|
||||
[source,python]
|
||||
----
|
||||
bucket = s3.Bucket(self, "bucket")
|
||||
|
||||
result = bucket.add_to_resource_policy(iam.PolicyStatement(
|
||||
effect=iam.Effect.DENY,
|
||||
resources=["*"],
|
||||
actions=["s3:*"],
|
||||
principals=["*"],
|
||||
conditions=["SecureTransport:False"]
|
||||
)
|
||||
)
|
||||
|
||||
----
|
||||
|
||||
include::../see.adoc[]
|
||||
* https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer
|
||||
ifdef::env-github,rspecator-view[]
|
||||
|
||||
'''
|
||||
== Implementation Specification
|
||||
(visible only on this page)
|
||||
|
||||
include::../message.adoc[]
|
||||
|
||||
endif::env-github,rspecator-view[]
|
||||
Loading…
x
Reference in New Issue
Block a user