github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/block_public_policy.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/block_public_policy.go (about)

     1  package s3
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckPublicPoliciesAreBlocked = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0087",
    14  		Provider:   providers.AWSProvider,
    15  		Service:    "s3",
    16  		ShortCode:  "block-public-policy",
    17  		Summary:    "S3 Access block should block public policy",
    18  		Impact:     "Users could put a policy that allows public access",
    19  		Resolution: "Prevent policies that allow public access being PUT",
    20  		Explanation: `
    21  S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
    22  `,
    23  
    24  		Links: []string{
    25  			"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
    26  		},
    27  		Terraform: &scan.EngineMetadata{
    28  			GoodExamples:        terraformBlockPublicPolicyGoodExamples,
    29  			BadExamples:         terraformBlockPublicPolicyBadExamples,
    30  			Links:               terraformBlockPublicPolicyLinks,
    31  			RemediationMarkdown: terraformBlockPublicPolicyRemediationMarkdown,
    32  		},
    33  		CloudFormation: &scan.EngineMetadata{
    34  			GoodExamples:        cloudFormationBlockPublicPolicyGoodExamples,
    35  			BadExamples:         cloudFormationBlockPublicPolicyBadExamples,
    36  			Links:               cloudFormationBlockPublicPolicyLinks,
    37  			RemediationMarkdown: cloudFormationBlockPublicPolicyRemediationMarkdown,
    38  		},
    39  		Severity: severity.High,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  		for _, bucket := range s.AWS.S3.Buckets {
    43  			if bucket.PublicAccessBlock == nil {
    44  				results.Add("No public access block so not blocking public policies", &bucket)
    45  			} else if bucket.PublicAccessBlock.BlockPublicPolicy.IsFalse() {
    46  				results.Add(
    47  					"Public access block does not block public policies",
    48  					bucket.PublicAccessBlock.BlockPublicPolicy,
    49  				)
    50  			} else {
    51  				results.AddPassed(&bucket)
    52  			}
    53  		}
    54  		return results
    55  	},
    56  )