ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6281/python/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

123 lines
3.6 KiB
Plaintext
Raw Blame History

By default S3 buckets are private, it means that only the bucket owner can access it.
This access control can be relaxed with ACLs or policies.
To prevent permissive policies to be set on a S3 bucket the following booleans settings can be enabled:
* `block_public_acls`: to block or not public ACLs to be set to the S3 bucket.
* `ignore_public_acls`: to consider or not existing public ACLs set to the S3 bucket.
* `block_public_policy`: to block or not public policies to be set to the S3 bucket.
* `restrict_public_buckets`: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket owner account.
The other attribute `BlockPublicAccess.BLOCK_ACLS` only turns on `block_public_acls` and `ignore_public_acls`. The public policies can still affect the S3 bucket.
However, all of those options can be enabled by setting the `block_public_access` property of the S3 bucket to `BlockPublicAccess.BLOCK_ALL`.
include::../ask-yourself.adoc[]
== Recommended Secure Coding Practices
It's recommended to configure:
* `block_public_acls` to `True` to block new attempts to set public ACLs.
* `ignore_public_acls` to `True` to block existing public ACLs.
* `block_public_policy` to `True` to block new attempts to set public policies.
* `restrict_public_buckets` to `True` to restrict existing public policies.
== Sensitive Code Example
By default, when not set, the `block_public_access` is fully deactivated (nothing is blocked):
[source,python]
----
bucket = s3.Bucket(self,
"bucket" # Sensitive
)
----
This `block_public_access` allows public ACL to be set:
[source,python]
----
bucket = s3.Bucket(self,
"bucket",
block_public_access=s3.BlockPublicAccess(
block_public_acls=False, # Sensitive
ignore_public_acls=True,
block_public_policy=True,
restrict_public_buckets=True
)
)
----
The attribute `BLOCK_ACLS` only blocks and ignores public ACLs:
[source,python]
----
bucket = s3.Bucket(self,
"bucket",
block_public_access=s3.BlockPublicAccess.BLOCK_ACLS # Sensitive
)
----
== Compliant Solution
This `block_public_access` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
[source,python]
----
bucket = s3.Bucket(self,
"bucket",
block_public_access=s3.BlockPublicAccess.BLOCK_ALL # Compliant
)
----
A similar configuration to the one above can obtained by setting all parameters of the `block_public_access`
[source,python]
----
bucket = s3.Bucket(self, "bucket",
block_public_access=s3.BlockPublicAccess( # Compliant
block_public_acls=True,
ignore_public_acls=True,
block_public_policy=True,
restrict_public_buckets=True
)
)
----
include::../see.adoc[]
* https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_s3/Bucket.html[AWS CDK version 2] - Bucket
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Primary locations
** Make sure allowing public ACL/policies to be set is safe here.
** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
* Secondary location
** Propagated setting.
=== Highlighting
* Primary locations
** aws_cdk.aws_s3.Bucket constructor
** aws_cdk.aws_s3.Bucket.block_public_access property
** aws_cdk.aws_s3.Bucket.public_read_access property
** 'block_public_acls', 'block_public_policy', 'ignore_public_acls', 'restrict_public_buckets' properties of Bucket set to False
* Secondary location
** For the propagated sensitive setting
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink