106 lines
2.2 KiB
Plaintext
106 lines
2.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
No secure policy is attached to this bucket:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
|
|
bucket = "mynoncompliantbucketname"
|
|
}
|
|
----
|
|
|
|
A policy is defined but forces only HTTPs communication for some users:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "mynoncompliantbucket" { # Sensitive
|
|
bucket = "mynoncompliantbucketname"
|
|
}
|
|
|
|
resource "aws_s3_bucket_policy" "mynoncompliantbucketpolicy" {
|
|
bucket = "mynoncompliantbucketname"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Id = "mynoncompliantbucketpolicy"
|
|
Statement = [
|
|
{
|
|
Sid = "HTTPSOnly"
|
|
Effect = "Deny"
|
|
Principal = {
|
|
"AWS": "arn:aws:iam::123456789123:root"
|
|
} # secondary location: only one principal is forced to use https
|
|
Action = "s3:*"
|
|
Resource = [
|
|
aws_s3_bucket.mynoncompliantbucket.arn,
|
|
"${aws_s3_bucket.mynoncompliantbucket.arn}/*",
|
|
]
|
|
Condition = {
|
|
Bool = {
|
|
"aws:SecureTransport" = "false"
|
|
}
|
|
}
|
|
},
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
A secure policy that denies all HTTP requests is used:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "mycompliantbucket" {
|
|
bucket = "mycompliantbucketname"
|
|
}
|
|
|
|
resource "aws_s3_bucket_policy" "mycompliantpolicy" {
|
|
bucket = "mycompliantbucketname"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Id = "mycompliantpolicy"
|
|
Statement = [
|
|
{
|
|
Sid = "HTTPSOnly"
|
|
Effect = "Deny"
|
|
Principal = {
|
|
"AWS": "*"
|
|
}
|
|
Action = "s3:*"
|
|
Resource = [
|
|
aws_s3_bucket.mycompliantbucket.arn,
|
|
"${aws_s3_bucket.mycompliantbucket.arn}/*",
|
|
]
|
|
Condition = {
|
|
Bool = {
|
|
"aws:SecureTransport" = "false"
|
|
}
|
|
}
|
|
},
|
|
]
|
|
})
|
|
}
|
|
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|