51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
86 lines
2.0 KiB
Plaintext
86 lines
2.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
By default, when not set, the ``++aws_s3_bucket_public_access_block++`` is fully deactivated (nothing is blocked):
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "example" { # Sensitive: no Public Access Block defined for this bucket
|
|
bucket = "example"
|
|
}
|
|
----
|
|
|
|
This ``++aws_s3_bucket_public_access_block++`` allows public ACL to be set:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "example" { # Sensitive
|
|
bucket = "examplename"
|
|
}
|
|
|
|
resource "aws_s3_bucket_public_access_block" "example-public-access-block" {
|
|
bucket = aws_s3_bucket.example.id
|
|
|
|
block_public_acls = false # should be true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
This ``++aws_s3_bucket_public_access_block++`` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_s3_bucket" "example" {
|
|
bucket = "example"
|
|
}
|
|
|
|
resource "aws_s3_bucket_public_access_block" "example-public-access-block" {
|
|
bucket = aws_s3_bucket.example.id
|
|
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Primary locations
|
|
** Make sure allowing public ACL/policies to be set is safe here.
|
|
** No Public Access Block configuration prevents public ACL/policies to be set on this S3 bucket. Make sure it is safe here.
|
|
* Secondary location
|
|
** Set this property to true
|
|
** Related bucket
|
|
|
|
|
|
=== Highlighting
|
|
|
|
* Primary locations
|
|
** aws_s3_bucket_public_access_block
|
|
** aws_s3_bucket resource
|
|
* Secondary location
|
|
** block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets properties set to false
|
|
** aws_s3_bucket resource
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|