github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/block_public_acls.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/block_public_acls.go (about)

     1  package s3
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckPublicACLsAreBlocked = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0086",
    14  		Provider:   providers.AWSProvider,
    15  		Service:    "s3",
    16  		ShortCode:  "block-public-acls",
    17  		Summary:    "S3 Access block should block public ACL",
    18  		Impact:     "PUT calls with public ACLs specified can make objects public",
    19  		Resolution: "Enable blocking any PUT calls with a public ACL specified",
    20  		Explanation: `
    21  S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
    22  `,
    23  		Links: []string{
    24  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformBlockPublicAclsGoodExamples,
    28  			BadExamples:         terraformBlockPublicAclsBadExamples,
    29  			Links:               terraformBlockPublicAclsLinks,
    30  			RemediationMarkdown: terraformBlockPublicAclsRemediationMarkdown,
    31  		},
    32  		CloudFormation: &scan.EngineMetadata{
    33  			GoodExamples:        cloudFormationBlockPublicAclsGoodExamples,
    34  			BadExamples:         cloudFormationBlockPublicAclsBadExamples,
    35  			Links:               cloudFormationBlockPublicAclsLinks,
    36  			RemediationMarkdown: cloudFormationBlockPublicAclsRemediationMarkdown,
    37  		},
    38  		Severity: severity.High,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		for _, bucket := range s.AWS.S3.Buckets {
    42  			if bucket.PublicAccessBlock == nil {
    43  				results.Add("No public access block so not blocking public acls", &bucket)
    44  			} else if bucket.PublicAccessBlock.BlockPublicACLs.IsFalse() {
    45  				results.Add(
    46  					"Public access block does not block public ACLs",
    47  					bucket.PublicAccessBlock.BlockPublicACLs,
    48  				)
    49  			} else {
    50  				results.AddPassed(&bucket)
    51  			}
    52  		}
    53  		return results
    54  	},
    55  )