dd52d59602
* S6249: Update issue message * Add secondary location * Update code example Remove "mynoncompliant" from the resource names. Add language specificators for code blocks * Apply suggestions from code review Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update secondary location issue message --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
107 lines
2.1 KiB
Plaintext
107 lines
2.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
No secure policy is attached to this bucket:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "example-bucket" { # Sensitive
|
|
bucket = "example-bucket"
|
|
}
|
|
----
|
|
|
|
A policy is defined but forces only HTTPs communication for some users:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "example-bucket" { # Sensitive
|
|
bucket = "example-bucket"
|
|
}
|
|
|
|
resource "aws_s3_bucket_policy" "example-policy" {
|
|
bucket = "example-bucket"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Id = "ExamplePolicy"
|
|
Statement = [
|
|
{
|
|
Sid = "HTTPSOnly"
|
|
Effect = "Deny"
|
|
Principal = [
|
|
"arn:aws:iam::123456789123:root"
|
|
] # Only one principal is forced to use HTTPS
|
|
Action = "s3:*"
|
|
Resource = [
|
|
aws_s3_bucket.aws_s3_bucket.arn,
|
|
"${aws_s3_bucket.aws_s3_bucket.arn}/*",
|
|
]
|
|
Condition = {
|
|
Bool = {
|
|
"aws:SecureTransport" = "false"
|
|
}
|
|
}
|
|
},
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
A secure policy that denies all HTTP requests is used:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "example-bucket" {
|
|
bucket = "example-bucket"
|
|
}
|
|
|
|
resource "aws_s3_bucket_policy" "example-policy" {
|
|
bucket = "example-bucket"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Id = "ExamplePolicy"
|
|
Statement = [
|
|
{
|
|
Sid = "HTTPSOnly"
|
|
Effect = "Deny"
|
|
Principal = {
|
|
"AWS": "*"
|
|
}
|
|
Action = "s3:*"
|
|
Resource = [
|
|
aws_s3_bucket.example-bucket.arn,
|
|
"${aws_s3_bucket.example-bucket.arn}/*",
|
|
]
|
|
Condition = {
|
|
Bool = {
|
|
"aws:SecureTransport" = "false"
|
|
}
|
|
}
|
|
},
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|