dd52d59602
* S6249: Update issue message * Add secondary location * Update code example Remove "mynoncompliant" from the resource names. Add language specificators for code blocks * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update secondary location issue message --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
96 lines
2.1 KiB
Plaintext
96 lines
2.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
No secure policy is attached to this S3 bucket:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
S3Bucket:
|
|
Type: 'AWS::S3::Bucket' # Sensitive
|
|
----
|
|
|
|
A policy is defined but forces only HTTPs communication for some users:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
S3Bucket:
|
|
Type: 'AWS::S3::Bucket' # Sensitive
|
|
Properties:
|
|
BucketName: "example-bucket"
|
|
|
|
S3BucketPolicy:
|
|
Type: 'AWS::S3::BucketPolicy'
|
|
Properties:
|
|
Bucket: !Ref S3Bucket
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Deny
|
|
Principal:
|
|
AWS: # Only one principal is forced to use https
|
|
- 'arn:aws:iam::123456789123:root'
|
|
Action: "*"
|
|
Resource:
|
|
- arn:aws:s3:::example-bucket
|
|
- arn:aws:s3:::example-bucket/*
|
|
Condition:
|
|
Bool:
|
|
"aws:SecureTransport": false
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
A secure policy that denies the use of all HTTP requests:
|
|
|
|
[source,yaml]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
Resources:
|
|
S3Bucket:
|
|
Type: 'AWS::S3::Bucket' # Compliant
|
|
Properties:
|
|
BucketName: "example-bucket"
|
|
|
|
S3BucketPolicy:
|
|
Type: 'AWS::S3::BucketPolicy'
|
|
Properties:
|
|
|
|
Bucket: !Ref S3Bucket
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Deny
|
|
Principal:
|
|
AWS: "*" # all principals should use https
|
|
Action: "*" # for any actions
|
|
Resource: # for the bucket and all its objects
|
|
- arn:aws:s3:::example-bucket
|
|
- arn:aws:s3:::example-bucket/*
|
|
Condition:
|
|
Bool:
|
|
"aws:SecureTransport": false
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|