S3 access control lists (ACLs) should not be used to manage user acce…

…ss to buckets Closes #539 (#549)
turbot · Mar 6, 2023 · 6e3ca56 · 6e3ca56
1 parent 28294cb
commit 6e3ca56
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql
@@ -1,26 +1,29 @@
 with bucket_acl_details as (
-   select
-      arn,
+  select
+     arn,
       title,
       array[acl -> 'Owner' ->> 'ID'] as bucket_owner,
       array_agg(grantee_id) as bucket_acl_permissions,
+      object_ownership_controls,
       region,
       account_id
    from
       aws_s3_bucket,
-      jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id 
+      jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id
    group by
       arn,
       title,
       acl,
       region,
-      account_id
+      account_id,
+      object_ownership_controls
 ),
 bucket_acl_checks as (
    select
       arn,
       title,
       to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions,
+      object_ownership_controls,
       region,
       account_id
    from
@@ -30,11 +33,13 @@ select
    -- Required Columns
    arn as resource,
    case
+      when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then 'ok'
       when jsonb_array_length(additional_permissions) = 0 then 'ok'
       else 'alarm'
    end status,
    case
-      when jsonb_array_length(additional_permissions) = 0  then title || ' does not have ACLs for user access.'
+      when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then title || ' ACLs are disabled.'
+      when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.'
       else title || ' has ACLs for user access.'
    end reason,
    -- Additional Dimensions