github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/no_public_buckets.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/no_public_buckets.go (about)

     1  package s3
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckPublicBucketsAreRestricted = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0093",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "s3",
    16  		ShortCode:   "no-public-buckets",
    17  		Summary:     "S3 Access block should restrict public bucket to limit access",
    18  		Impact:      "Public buckets can be accessed by anyone",
    19  		Resolution:  "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)",
    20  		Explanation: `S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformNoPublicBucketsGoodExamples,
    26  			BadExamples:         terraformNoPublicBucketsBadExamples,
    27  			Links:               terraformNoPublicBucketsLinks,
    28  			RemediationMarkdown: terraformNoPublicBucketsRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationNoPublicBucketsGoodExamples,
    32  			BadExamples:         cloudFormationNoPublicBucketsBadExamples,
    33  			Links:               cloudFormationNoPublicBucketsLinks,
    34  			RemediationMarkdown: cloudFormationNoPublicBucketsRemediationMarkdown,
    35  		},
    36  		Severity: severity.High,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, bucket := range s.AWS.S3.Buckets {
    40  			if bucket.PublicAccessBlock == nil {
    41  				results.Add("No public access block so not restricting public buckets", &bucket)
    42  			} else if bucket.PublicAccessBlock.RestrictPublicBuckets.IsFalse() {
    43  				results.Add(
    44  					"Public access block does not restrict public buckets",
    45  					bucket.PublicAccessBlock.RestrictPublicBuckets,
    46  				)
    47  			} else {
    48  				results.AddPassed(&bucket)
    49  			}
    50  		}
    51  		return results
    52  	},
    53  )