51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
84 lines
2.0 KiB
Plaintext
84 lines
2.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
By default, when not set, the ``++PublicAccessBlockConfiguration++`` is fully deactivated (nothing is blocked):
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
S3Bucketdefault:
|
|
Type: 'AWS::S3::Bucket' # Sensitive
|
|
Properties:
|
|
BucketName: "example"
|
|
----
|
|
|
|
This ``++PublicAccessBlockConfiguration++`` allows public ACL to be set:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
S3Bucket:
|
|
Type: 'AWS::S3::Bucket' # Sensitive
|
|
Properties:
|
|
BucketName: "example"
|
|
PublicAccessBlockConfiguration:
|
|
BlockPublicAcls: false # should be true
|
|
BlockPublicPolicy: true
|
|
IgnorePublicAcls: true
|
|
RestrictPublicBuckets: true
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
This ``++PublicAccessBlockConfiguration++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
S3Bucket:
|
|
Type: 'AWS::S3::Bucket' # Compliant
|
|
Properties:
|
|
BucketName: "example"
|
|
PublicAccessBlockConfiguration:
|
|
BlockPublicAcls: true
|
|
BlockPublicPolicy: true
|
|
IgnorePublicAcls: true
|
|
RestrictPublicBuckets: true
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Primary locations
|
|
** Make sure allowing public ACL/policies to be set is safe here.
|
|
** Omitting "PublicAccessBlockConfiguration" allows public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
|
|
* Secondary location
|
|
** Set this property to true
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* Primary locations
|
|
** PublicAccessBlockConfiguration property
|
|
** AWS::S3::Bucket resource
|
|
* Secondary location
|
|
** BlockPublicAcls / BlockPublicPolicy / IgnorePublicAcls / RestrictPublicBuckets properties set to false
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|