S3 Bucket should not be publicly readable and writable Affecting S3 service in AWS


Severity

0.0
critical
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    General / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CSA-CCM ISO-27001 SOC-2
  • Snyk ID SNYK-CC-00268
  • credit Snyk Research Team

Description

S3 bucket policies and ACLs should not be configured for public read access. It is a security risk for a bucket to have an ACL or bucket policy that is configured for public read access, even if the bucket itself is not currently public. A bucket configured for public read access can potentially be made public, allowing any AWS user or anonymous user to access the data in it.

How to fix?

Remove any aws_s3_bucket acl, grant, and/or policy fields that allow public read or write access. Optionally use an aws_s3_bucket_public_access_block or aws_s3_account_public_access_block.

  • Ensure that the aws_s3_bucket acl field does NOT contain EITHER of the following:
    • "public-read"
    • "public-read-write"
  • Ensure that the grant block does NOT contain BOTH an invalid uri and permissions field:
  • If a bucket policy is defined in the bucket's policy field, ensure the JSON document does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect:
    • Invalid principals:
      • "Principal": { "AWS": "*" }
      • "Principal": "*"
    • Invalid actions:
      • "*"
      • "s3:*"
      • "s3:List*"
      • "s3:Get*"
      • "s3:ListBucket*"
      • "s3:GetObject*"
      • "s3:ListBucket"
      • "s3:ListBucketVersions"
      • "s3:ListBucketMultipartUploads"
      • "s3:GetObject"
      • "s3:GetObjectVersion"
      • "s3:GetObjectTorrent"
    • Invalid effect:
      • "Effect": "Allow"
  • If a bucket policy is defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field does NOT contain BOTH an invalid principal, an invalid action, and an invalid effect, as listed above

Example Configuration

# Compliant ACL
resource "aws_s3_bucket" "b" {
  acl    = "private"
  # other required fields here
}
# Compliant grant
resource "aws_s3_bucket" "bucket" {
  bucket = "mybucket"

  grant {
    id          = data.aws_canonical_user_id.current_user.id
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  # other required fields here
}
# Compliant bucket policy
resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # other required fields here
}

resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
      {
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          aws_s3_bucket.b.arn,
          "${aws_s3_bucket.b.arn}/*",
        ]
        Condition = {
          NotIpAddress = {
            "aws:SourceIp" = "8.8.8.8/32"
          }
        }
      },
    ]
  })

  # other required fields here
}