Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 access control lists (ACLs) should not be used to manage user access to buckets #539

Closed
jchrisfarris opened this issue Jan 17, 2023 · 3 comments · Fixed by #549
Closed

S3 access control lists (ACLs) should not be used to manage user access to buckets #539

jchrisfarris opened this issue Jan 17, 2023 · 3 comments · Fixed by #549
Assignees
@khushboo9024
Labels
bug Something isn't working

Comments

@jchrisfarris
Copy link

Describe the bug
The proper way to ensure that ACLs are not used to manage object and bucket access is to disable them via the Bucket Owner Enforced setting in S3

Steampipe version (steampipe -v)
v18.0

Plugin version (steampipe plugin list)
Default in SPC
Mod version 0.54.0

To reproduce
An S3 bucket with either of the two settings bucket owner preferred or object writer still allow ACLs to be used. At the time the mod only looks for the presence of any ACLs, not to see if ACLs are disabled.

Expected behavior
The mod should report this finding as non-compliant if the ownership setting is not bucket owner enforced

Additional context
Add any other context about the problem here.
@jchrisfarris jchrisfarris added the bug Something isn't working label Jan 17, 2023
@rajlearner17
Copy link
Contributor

rajlearner17 commented Jan 18, 2023
edited
Loading

This is derived from FSBP S3.12) > query used: s3_bucket_acls_should_prohibit_user_access.sql -- We are re-evaluating based on your suggestion to explore if we can add any direct column for Bucket owner enforced in the table or current evaluation is correct with additional checks as ACLs are disabled in it?

@jchrisfarris
Copy link
Author

ACLs aren't "disabled", they're just not present. ACLs are only disabled when the Bucket owner enforced setting is set.

khushboo9024 added a commit that referenced this issue Jan 24, 2023
@khushboo9024
S3 access control lists (ACLs) should not be used to manage user acce…
ab0f569 
…ss to buckets Closes #539
@khushboo9024 khushboo9024 linked a pull request Jan 24, 2023 that will close this issue
S3 access control lists (ACLs) should not be used to manage user access to buckets Closes #539 #549
Merged
1 task
@rajlearner17
Copy link
Contributor

@jchrisfarris, would it be possible for you to try it issue-539 and share your feedback?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@khushboo9024 khushboo9024

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@jchrisfarris @rajlearner17 @khushboo9024