rspec/rules/S6249/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

No secure policy is attached to this bucket:

[source,python]
----
import aws_cdk.aws_s3 as s3
import aws_cdk.aws_iam as iam

bucket = s3.Bucket(self, "bucket") # Sensitive
----

A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:

[source,python]
----
bucket = s3.Bucket(self, "bucket")
bucket.add_to_resource_policy(iam.PolicyStatement(     # Sensitive
    effect=iam.Effect.DENY,
    resources=[bucket.bucket_arn],
    actions=["s3:SomeAction"],
    principals=[roles],
    conditions=[{"Bool": {"aws:SecureTransport": False}}]
    )
)
----

== Compliant Solution
A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny access to HTTP requests.

A secure policy that enforces SSL on requests (default: False):

[source,python]
----
bucket = S3.Bucket(self,
    "bucket",
    enforce_ssl=True
)

----
A secure policy that denies all HTTP requests is used:

[source,python]
----
bucket = s3.Bucket(self, "bucket")

result = bucket.add_to_resource_policy(iam.PolicyStatement(
    effect=iam.Effect.DENY,
    resources=["*"],
    actions=["s3:*"],
    principals=["*"],
    conditions=["SecureTransport:False"]
    )
)

----

include::../see.adoc[]
* https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5[AWS Foundational Security Best Practices controls] - S3 buckets should require requests to use Secure Socket Layer
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]