ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6255/terraform/rule.adoc
jtingsanchali 96d9ddb930
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) 
* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00

69 lines
2.2 KiB
Plaintext
Raw Blame History

When S3 buckets versioning is enabled it's possible to add an additional authentication factor before being allowed to delete versions of an object or changing the versioning state of a bucket. It prevents accidental object deletion by forcing the user sending the delete request to prove that he has a valid MFA device and a corresponding valid token.
== Ask Yourself Whether
* The S3 bucket stores sensitive information that is required to be preserved on the long term.
* The S3 bucket grants delete permission to many users.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
It's recommended to enable S3 MFA delete, note that:
* MFA delete can only be enabled with the AWS CLI or API and with the root account.
* To delete an object version, the API should be used with the ``++x-amz-mfa++`` header.
* The API request, with the ``++x-amz-mfa++`` header, can only be used in HTTPS.
== Sensitive Code Example
A versioned S3 bucket doesn't have MFA delete enabled:
[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
bucket = "example"
versioning {
enabled = true
}
}
----
== Compliant Solution
MFA delete is enabled (https://github.com/hashicorp/terraform-provider-aws/issues/629[it's not possible to set this option] to a new S3 bucket with Terraform but the Terraform template can be updated that way it reflects the state):
[source,terraform]
----
resource "aws_s3_bucket" "example" { # Compliant
bucket = "example"
versioning {
enabled = true
mfa_delete = true
}
}
----
== See
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures
* https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html[AWS documentation] - Configuring MFA delete
* https://cwe.mitre.org/data/definitions/308[MITRE, CWE-308] - Use of Single-factor Authentication
* https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink