ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6249/cloudformation/rule.adoc
Fred Tingaud 51369b610e
Make sure that includes are always surrounded by empty lines (#2270) 
When an include is not surrounded by empty lines, its content is inlined
on the same line as the adjacent content. That can lead to broken tags
and other display issues.
This PR fixes all such includes and introduces a validation step that
forbids introducing the same problem again.
2023-06-22 10:38:01 +02:00

89 lines
2.0 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
No secure policy is attached to this S3 bucket:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Sensitive
----
A policy is defined but forces only HTTPs communication for some users:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Sensitive
Properties:
BucketName: "mynoncompliantbucket"
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: # Sensitive: only one principal is forced to use https
- 'arn:aws:iam::123456789123:root'
Action: "*"
Resource: arn:aws:s3:::mynoncompliantbuckets6249/*
Condition:
Bool:
"aws:SecureTransport": false
----
== Compliant Solution
A secure policy that denies the use of all HTTP requests:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Compliant
Properties:
BucketName: "mycompliantbucket"
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: "mycompliantbucket"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: arn:aws:s3:::mycompliantbucket/* # for any resources
Condition:
Bool:
"aws:SecureTransport": false
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink