Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00112
- credit Snyk Research Team
Description
S3 bucket policies list actions enable users to enumerate information on an organization's S3 buckets and objects. Malicious actors may use this information to identify potential targets for hacks. Users should scope list actions only to users and roles that require this information - not all principals.
How to fix?
Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.
If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:
- Invalid principals:
"*""AWS": "*"
- Invalid actions:
"s3:List*""s3:ListJobs""s3:ListBucket""s3:ListBucketVersions""s3:ListMultipartUploadParts"
- Invalid effect:
Allow
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above
Example Configuration
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
# other required fields here
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = jsonencode({
Version = "2012-10-17"
Id = "MYBUCKETPOLICY"
Statement = [
{
Sid = "IPAllow"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.b.arn,
"${aws_s3_bucket.b.arn}/*",
]
Condition = {
NotIpAddress = {
"aws:SourceIp" = "8.8.8.8/32"
}
}
},
]
})
# other required fields here
}