Skip to content

Commit

Permalink
S3 access control lists (ACLs) should not be used to manage user acce…
Browse files Browse the repository at this point in the history
…ss to buckets Closes #539
  • Loading branch information
khushboo9024 committed Jan 24, 2023
1 parent d29735d commit ab0f569
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions query/s3/s3_bucket_acls_should_prohibit_user_access.sql
Original file line number Diff line number Diff line change
@@ -1,26 +1,29 @@
with bucket_acl_details as (
select
arn,
select
arn,
title,
array[acl -> 'Owner' ->> 'ID'] as bucket_owner,
array_agg(grantee_id) as bucket_acl_permissions,
object_ownership_controls,
region,
account_id
from
aws_s3_bucket,
jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id
jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id
group by
arn,
title,
acl,
region,
account_id
account_id,
object_ownership_controls
),
bucket_acl_checks as (
select
arn,
title,
to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions,
object_ownership_controls,
region,
account_id
from
Expand All @@ -30,11 +33,13 @@ select
-- Required Columns
arn as resource,
case
when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then 'ok'
when jsonb_array_length(additional_permissions) = 0 then 'ok'
else 'alarm'
end status,
case
when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.'
when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then title || ' ACLs are disabled.'
when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.'
else title || ' has ACLs for user access.'
end reason,
-- Additional Dimensions
Expand Down

0 comments on commit ab0f569

Please sign in to comment.