Severity Framework
Snyk CCSS
Rule category
IAM / Public Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CSA-CCM
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00029
- credit Snyk Research Team
Description
S3 bucket policies - and access control policies in general - should not allow wildcard/all actions, except in very specific administrative situations. Allowing all principals wildcard access is overly permissive.
How to fix?
Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.
If an aws_s3_bucket policy is defined in the bucket's
policyfield, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:Invalid principals:
"Principal": { "AWS": "*" }"Principal": "*"
Invalid actions:
"*""s3:*"
Invalid effect:
"Effect": "Allow"
# Compliant bucket policy
data "aws_iam_policy_document" "example" {
statement {
effect = "Deny"
actions = ["s3:*"]
resources = [
aws_s3_bucket.example.arn,
"${aws_s3_bucket.example.arn}/*",
]
principals {
type = "*"
identifiers = ["*"]
}
}
}
resource "aws_s3_bucket" "example" {
bucket = "example"
policy = data.aws_iam_policy_document.example.json
}
- If a bucket policy is defined as an aws_s3_bucket_policy, ensure the JSON document in the
policyfield does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above.
# Compliant bucket policy
data "aws_iam_policy_document" "example" {
statement {
effect = "Deny"
actions = ["s3:*"]
resources = [
aws_s3_bucket.example.arn,
"${aws_s3_bucket.example.arn}/*",
]
principals {
type = "*"
identifiers = ["*"]
}
}
}
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_s3_bucket_policy" "example" {
bucket = aws_s3_bucket.example.id
policy = data.aws_iam_policy_document.example.json
}