From dd52d59602c61d3a1518d261e2e73c78b95a78db Mon Sep 17 00:00:00 2001 From: Pierre-Loup <49131563+pierre-loup-tristant-sonarsource@users.noreply.github.com> Date: Thu, 20 Mar 2025 15:11:28 +0100 Subject: [PATCH] Modify rule S6249: update message (#935) * S6249: Update issue message * Add secondary location * Update code example Remove "mynoncompliant" from the resource names. Add language specificators for code blocks * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update secondary location issue message --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> --- rules/S6249/cloudformation/rule.adoc | 17 +++++++----- rules/S6249/highlighting.adoc | 6 ++++ rules/S6249/message.adoc | 5 +++- rules/S6249/terraform/rule.adoc | 41 ++++++++++++++-------------- 4 files changed, 41 insertions(+), 28 deletions(-) create mode 100644 rules/S6249/highlighting.adoc diff --git a/rules/S6249/cloudformation/rule.adoc b/rules/S6249/cloudformation/rule.adoc index 4260eff68d..e46d3baabc 100644 --- a/rules/S6249/cloudformation/rule.adoc +++ b/rules/S6249/cloudformation/rule.adoc @@ -25,7 +25,7 @@ Resources: S3Bucket: Type: 'AWS::S3::Bucket' # Sensitive Properties: - BucketName: "bucketname" + BucketName: "example-bucket" S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' @@ -36,12 +36,12 @@ Resources: Statement: - Effect: Deny Principal: - AWS: # Sensitive: only one principal is forced to use https + AWS: # Only one principal is forced to use https - 'arn:aws:iam::123456789123:root' Action: "*" Resource: - - arn:aws:s3:::bucketname - - arn:aws:s3:::bucketname/* + - arn:aws:s3:::example-bucket + - arn:aws:s3:::example-bucket/* Condition: Bool: "aws:SecureTransport": false @@ -58,11 +58,12 @@ Resources: S3Bucket: Type: 'AWS::S3::Bucket' # Compliant Properties: - BucketName: "bucketname" + BucketName: "example-bucket" S3BucketPolicy: Type: 'AWS::S3::BucketPolicy' Properties: + Bucket: !Ref S3Bucket PolicyDocument: Version: "2012-10-17" @@ -72,8 +73,8 @@ Resources: AWS: "*" # all principals should use https Action: "*" # for any actions Resource: # for the bucket and all its objects - - arn:aws:s3:::bucketname - - arn:aws:s3:::bucketname/* + - arn:aws:s3:::example-bucket + - arn:aws:s3:::example-bucket/* Condition: Bool: "aws:SecureTransport": false @@ -89,4 +90,6 @@ ifdef::env-github,rspecator-view[] include::../message.adoc[] +include::../highlighting.adoc[] + endif::env-github,rspecator-view[] diff --git a/rules/S6249/highlighting.adoc b/rules/S6249/highlighting.adoc new file mode 100644 index 0000000000..ca17625fbb --- /dev/null +++ b/rules/S6249/highlighting.adoc @@ -0,0 +1,6 @@ +=== Highlighting + +* Primary location +** The S3 bucket resource +* Secondary location +** The S3 bucket policy condition that allow HTTP \ No newline at end of file diff --git a/rules/S6249/message.adoc b/rules/S6249/message.adoc index 4caefa0665..7b834ebd82 100644 --- a/rules/S6249/message.adoc +++ b/rules/S6249/message.adoc @@ -1,4 +1,7 @@ === Message -Make sure authorizing HTTP requests is safe here. +* Primary location +** No bucket policy enforces HTTPS-only access to this bucket. Make sure it is safe here. +* Secondary location +** HTTPS requests are denied. diff --git a/rules/S6249/terraform/rule.adoc b/rules/S6249/terraform/rule.adoc index 4d28558656..bc040e1ddf 100644 --- a/rules/S6249/terraform/rule.adoc +++ b/rules/S6249/terraform/rule.adoc @@ -10,8 +10,8 @@ No secure policy is attached to this bucket: [source,terraform] ---- -resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive - bucket = "mynoncompliantbucketname" +resource "aws_s3_bucket" "example-bucket" { # Sensitive + bucket = "example-bucket" } ---- @@ -19,27 +19,27 @@ A policy is defined but forces only HTTPs communication for some users: [source,terraform] ---- -resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive - bucket = "mynoncompliantbucketname" +resource "aws_s3_bucket" "example-bucket" { # Sensitive + bucket = "example-bucket" } -resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" { - bucket = "mynoncompliantbucketname" +resource "aws_s3_bucket_policy" "example-policy" { + bucket = "example-bucket" policy = jsonencode({ Version = "2012-10-17" - Id = "mynoncompliantbucketpolicy" + Id = "ExamplePolicy" Statement = [ { Sid = "HTTPSOnly" Effect = "Deny" - Principal = { - "AWS": "arn:aws:iam::123456789123:root" - } # secondary location: only one principal is forced to use https + Principal = [ + "arn:aws:iam::123456789123:root" + ] # Only one principal is forced to use HTTPS Action = "s3:*" Resource = [ - aws_s3_bucket.mynoncompliantbucket.arn, - "${aws_s3_bucket.mynoncompliantbucket.arn}/*", + aws_s3_bucket.aws_s3_bucket.arn, + "${aws_s3_bucket.aws_s3_bucket.arn}/*", ] Condition = { Bool = { @@ -58,16 +58,16 @@ A secure policy that denies all HTTP requests is used: [source,terraform] ---- -resource "aws_s3_bucket" "mycompliantbucket" { - bucket = "mycompliantbucketname" +resource "aws_s3_bucket" "example-bucket" { + bucket = "example-bucket" } -resource "aws_s3_bucket_policy" "mycompliantpolicy" { - bucket = "mycompliantbucketname" +resource "aws_s3_bucket_policy" "example-policy" { + bucket = "example-bucket" policy = jsonencode({ Version = "2012-10-17" - Id = "mycompliantpolicy" + Id = "ExamplePolicy" Statement = [ { Sid = "HTTPSOnly" @@ -77,8 +77,8 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" { } Action = "s3:*" Resource = [ - aws_s3_bucket.mycompliantbucket.arn, - "${aws_s3_bucket.mycompliantbucket.arn}/*", + aws_s3_bucket.example-bucket.arn, + "${aws_s3_bucket.example-bucket.arn}/*", ] Condition = { Bool = { @@ -89,7 +89,6 @@ resource "aws_s3_bucket_policy" "mycompliantpolicy" { ] }) } - ---- include::../see.adoc[] @@ -102,4 +101,6 @@ ifdef::env-github,rspecator-view[] include::../message.adoc[] +include::../highlighting.adoc[] + endif::env-github,rspecator-view[]