From 6e3ca567fef3b4213934f26ade1fa516d10ad794 Mon Sep 17 00:00:00 2001 From: Khushboo <46913995+khushboo9024@users.noreply.github.com> Date: Mon, 6 Mar 2023 18:09:13 +0530 Subject: [PATCH] S3 access control lists (ACLs) should not be used to manage user access to buckets Closes #539 (#549) --- ...s3_bucket_acls_should_prohibit_user_access.sql | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql index 8525a35b..af0f25a0 100644 --- a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql +++ b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql @@ -1,26 +1,29 @@ with bucket_acl_details as ( - select - arn, + select + arn, title, array[acl -> 'Owner' ->> 'ID'] as bucket_owner, array_agg(grantee_id) as bucket_acl_permissions, + object_ownership_controls, region, account_id from aws_s3_bucket, - jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id + jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id group by arn, title, acl, region, - account_id + account_id, + object_ownership_controls ), bucket_acl_checks as ( select arn, title, to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions, + object_ownership_controls, region, account_id from @@ -30,11 +33,13 @@ select -- Required Columns arn as resource, case + when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then 'ok' when jsonb_array_length(additional_permissions) = 0 then 'ok' else 'alarm' end status, case - when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.' + when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then title || ' ACLs are disabled.' + when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.' else title || ' has ACLs for user access.' end reason, -- Additional Dimensions