Modify rule S6249: Add Python as covered language (#970)
This commit is contained in:
marco-bearzi-sonarsource
GitHub
parent
cdff544c36
commit
2ac4200691
3
rules/S6249/python/metadata.json
Normal file
3
rules/S6249/python/metadata.json
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
74
rules/S6249/python/rule.adoc
Normal file
74
rules/S6249/python/rule.adoc
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
include::../description.adoc[]
|
||||||
|
|
||||||
|
include::../ask-yourself.adoc[]
|
||||||
|
|
||||||
|
include::../recommended.adoc[]
|
||||||
|
|
||||||
|
== Sensitive Code Example
|
||||||
|
|
||||||
|
No secure policy is attached to this bucket:
|
||||||
|
|
||||||
|
[source,python]
|
||||||
|
----
|
||||||
|
import aws_cdk.aws_s3 as s3
|
||||||
|
import aws_cdk.aws_iam as iam
|
||||||
|
|
||||||
|
bucket = s3.Bucket(self, "bucket") # Sensitive
|
||||||
|
----
|
||||||
|
|
||||||
|
A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:
|
||||||
|
|
||||||
|
[source,python]
|
||||||
|
----
|
||||||
|
bucket = s3.Bucket(self, "bucket")
|
||||||
|
bucket.add_to_resource_policy(iam.PolicyStatement( # Sensitive
|
||||||
|
effect=iam.Effect.DENY,
|
||||||
|
resources=[bucket.bucket_arn],
|
||||||
|
actions=["s3:SomeAction"],
|
||||||
|
principals=[roles],
|
||||||
|
conditions=[{"Bool": {"aws:SecureTransport": False}}]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
----
|
||||||
|
|
||||||
|
== Compliant Solution
|
||||||
|
A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny access to HTTP requests.
|
||||||
|
|
||||||
|
A secure policy that enforces SSL on requests (default: False):
|
||||||
|
|
||||||
|
[source,python]
|
||||||
|
----
|
||||||
|
bucket = S3.Bucket(self,
|
||||||
|
"bucket",
|
||||||
|
enforce_ssl=True
|
||||||
|
)
|
||||||
|
|
||||||
|
----
|
||||||
|
A secure policy that denies all HTTP requests is used:
|
||||||
|
|
||||||
|
[source,python]
|
||||||
|
----
|
||||||
|
bucket = s3.Bucket(self, "bucket")
|
||||||
|
|
||||||
|
result = bucket.add_to_resource_policy(iam.PolicyStatement(
|
||||||
|
effect=iam.Effect.DENY,
|
||||||
|
resources=["*"],
|
||||||
|
actions=["s3:*"],
|
||||||
|
principals=["*"],
|
||||||
|
conditions=["SecureTransport:False"]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
----
|
||||||
|
|
||||||
|
include::../see.adoc[]
|
||||||
|
* https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer
|
||||||
|
ifdef::env-github,rspecator-view[]
|
||||||
|
|
||||||
|
'''
|
||||||
|
== Implementation Specification
|
||||||
|
(visible only on this page)
|
||||||
|
|
||||||
|
include::../message.adoc[]
|
||||||
|
|
||||||
|
endif::env-github,rspecator-view[]
|
||||||
Loading…
x
Reference in New Issue
Block a user