github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/specify_public_access_block.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/specify_public_access_block.go (about)

     1  package s3
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckBucketsHavePublicAccessBlocks = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0094",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "s3",
    16  		ShortCode:   "specify-public-access-block",
    17  		Summary:     "S3 buckets should each define an aws_s3_bucket_public_access_block",
    18  		Explanation: `The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.`,
    19  		Impact:      "Public access policies may be applied to sensitive data buckets",
    20  		Resolution:  "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies",
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformSpecifyPublicAccessBlockGoodExamples,
    26  			BadExamples:         terraformSpecifyPublicAccessBlockBadExamples,
    27  			Links:               terraformSpecifyPublicAccessBlockLinks,
    28  			RemediationMarkdown: terraformSpecifyPublicAccessBlockRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationSpecifyPublicAccessBlockGoodExamples,
    32  			BadExamples:         cloudFormationSpecifyPublicAccessBlockBadExamples,
    33  			Links:               cloudFormationSpecifyPublicAccessBlockLinks,
    34  			RemediationMarkdown: cloudFormationSpecifyPublicAccessBlockRemediationMarkdown,
    35  		},
    36  		Severity: severity.Low,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, bucket := range s.AWS.S3.Buckets {
    40  			if bucket.PublicAccessBlock == nil {
    41  				results.Add(
    42  					"Bucket does not have a corresponding public access block.",
    43  					&bucket,
    44  				)
    45  			} else {
    46  				results.AddPassed(&bucket)
    47  			}
    48  		}
    49  		return results
    50  	},
    51  )