ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6249/terraform/rule.adoc
Pierre-Loup d5572cefe6
Revert "Modify rule S6249: Update issue message (#879)" (#934) 
This reverts commit a6eed4fa5953db4a4b9c3f0db8b2fb6dc4e0690d.

Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com>
2022-04-06 14:44:06 +02:00

101 lines
2.1 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
No secure policy is attached to this bucket:
----
resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
bucket = "mynoncompliantbucketname"
}
----
A policy is defined but forces only HTTPs communication for some users:
----
resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
bucket = "mynoncompliantbucketname"
}
resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" {
bucket = "mynoncompliantbucketname"
policy = jsonencode({
Version = "2012-10-17"
Id = "mynoncompliantbucketpolicy"
Statement = [
{
Sid = "HTTPSOnly"
Effect = "Deny"
Principal = [
"arn:aws:iam::123456789123:root"
] # secondary location: only one principal is forced to use https
Action = "s3:*"
Resource = [
aws_s3_bucket.mynoncompliantbucketpolicy.arn,
"${aws_s3_bucket.mynoncompliantbucketpolicy.arn}/*",
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
]
})
}
----
== Compliant Solution
A secure policy that denies all HTTP requests is used:
[source,terraform]
----
resource "aws_s3_bucket" "mycompliantbucket" {
bucket = "mycompliantbucketname"
}
resource "aws_s3_bucket_policy" "mycompliantpolicy" {
bucket = "mycompliantbucketname"
policy = jsonencode({
Version = "2012-10-17"
Id = "mycompliantpolicy"
Statement = [
{
Sid = "HTTPSOnly"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.mycompliantbucket.arn,
"${aws_s3_bucket.mycompliantbucket.arn}/*",
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
]
})
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink