github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/no_public_access_with_acl.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/no_public_access_with_acl.go (about)

     1  package s3
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  )
    16  
    17  var CheckForPublicACL = rules.Register(
    18  	scan.Rule{
    19  		AVDID:     "AVD-AWS-0092",
    20  		Provider:  providers.AWSProvider,
    21  		Service:   "s3",
    22  		ShortCode: "no-public-access-with-acl",
    23  		Summary:   "S3 Buckets not publicly accessible through ACL.",
    24  		Explanation: `
    25  Buckets should not have ACLs that allow public access
    26  `,
    27  		Impact:     "Public access to the bucket can lead to data leakage",
    28  		Resolution: "Don't use canned ACLs or switch to private acl",
    29  
    30  		Links: []string{
    31  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html",
    32  		},
    33  		Terraform: &scan.EngineMetadata{
    34  			GoodExamples:        terraformNoPublicAccessWithAclGoodExamples,
    35  			BadExamples:         terraformNoPublicAccessWithAclBadExamples,
    36  			Links:               terraformNoPublicAccessWithAclLinks,
    37  			RemediationMarkdown: terraformNoPublicAccessWithAclRemediationMarkdown,
    38  		},
    39  		CloudFormation: &scan.EngineMetadata{
    40  			GoodExamples:        cloudFormationNoPublicAccessWithAclGoodExamples,
    41  			BadExamples:         cloudFormationNoPublicAccessWithAclBadExamples,
    42  			Links:               cloudFormationNoPublicAccessWithAclLinks,
    43  			RemediationMarkdown: cloudFormationNoPublicAccessWithAclRemediationMarkdown,
    44  		},
    45  		Severity: severity.High,
    46  	},
    47  	func(s *state.State) (results scan.Results) {
    48  		for _, bucket := range s.AWS.S3.Buckets {
    49  			if bucket.HasPublicExposureACL() {
    50  				if bucket.ACL.EqualTo("authenticated-read") {
    51  					results.Add(
    52  						"Bucket is exposed to all AWS accounts via ACL.",
    53  						bucket.ACL,
    54  					)
    55  				} else {
    56  					results.Add(
    57  						fmt.Sprintf("Bucket has a public ACL: '%s'.", bucket.ACL.Value()),
    58  						bucket.ACL,
    59  					)
    60  				}
    61  			} else {
    62  				results.AddPassed(&bucket)
    63  			}
    64  		}
    65  		return results
    66  	},
    67  )