github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/ignore_public_acls.go (about)

     1  package s3
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckPublicACLsAreIgnored = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AWS-0091",
    14  		Provider:   providers.AWSProvider,
    15  		Service:    "s3",
    16  		ShortCode:  "ignore-public-acls",
    17  		Summary:    "S3 Access Block should Ignore Public Acl",
    18  		Impact:     "PUT calls with public ACLs specified can make objects public",
    19  		Resolution: "Enable ignoring the application of public ACLs in PUT calls",
    20  		Explanation: `
    21  S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
    22  `,
    23  		Links: []string{
    24  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformIgnorePublicAclsGoodExamples,
    28  			BadExamples:         terraformIgnorePublicAclsBadExamples,
    29  			Links:               terraformIgnorePublicAclsLinks,
    30  			RemediationMarkdown: terraformIgnorePublicAclsRemediationMarkdown,
    31  		},
    32  		CloudFormation: &scan.EngineMetadata{
    33  			GoodExamples:        cloudFormationIgnorePublicAclsGoodExamples,
    34  			BadExamples:         cloudFormationIgnorePublicAclsBadExamples,
    35  			Links:               cloudFormationIgnorePublicAclsLinks,
    36  			RemediationMarkdown: cloudFormationIgnorePublicAclsRemediationMarkdown,
    37  		},
    38  		Severity: severity.High,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		for _, bucket := range s.AWS.S3.Buckets {
    42  			if bucket.PublicAccessBlock == nil {
    43  				results.Add("No public access block so not ignoring public acls", &bucket)
    44  			} else if bucket.PublicAccessBlock.IgnorePublicACLs.IsFalse() {
    45  				results.Add(
    46  					"Public access block does not ignore public ACLs",
    47  					bucket.PublicAccessBlock.IgnorePublicACLs,
    48  				)
    49  			} else {
    50  				results.AddPassed(&bucket)
    51  			}
    52  		}
    53  		return results
    54  	},
    55  )