From 71247169ed6db6308d7a81fa0751b54d1fdcdbc8 Mon Sep 17 00:00:00 2001 From: vkumbha Date: Wed, 24 Aug 2022 10:41:23 +0530 Subject: [PATCH 1/4] Add [S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets. Closes #363 --- .../docs/foundational_security_s3_12.md | 9 ++++ foundational_security/s3.sp | 13 ++++++ ...ucket_acls_should_prohibit_user_access.sql | 42 +++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 foundational_security/docs/foundational_security_s3_12.md create mode 100644 query/s3/s3_bucket_acls_should_prohibit_user_access.sql diff --git a/foundational_security/docs/foundational_security_s3_12.md b/foundational_security/docs/foundational_security_s3_12.md new file mode 100644 index 00000000..443f9297 --- /dev/null +++ b/foundational_security/docs/foundational_security_s3_12.md @@ -0,0 +1,9 @@ +## Description + +This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets. + +ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using IAM policies or S3 bucket policies to more easily manage access to your S3 buckets. + +## Remediation + +For more information on managing access to S3 buckets, see [Bucket policies and user policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html) in the Amazon S3 User Guide. For details on how to review your current ACL permissions, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the Amazon S3 User Guide. \ No newline at end of file diff --git a/foundational_security/s3.sp b/foundational_security/s3.sp index 9bb12704..be8c1a0d 100644 --- a/foundational_security/s3.sp +++ b/foundational_security/s3.sp @@ -153,4 +153,17 @@ control "foundational_security_s3_11" { foundational_security_item_id = "s3_11" foundational_security_category = "logging" }) +} + +control "foundational_security_s3_12" { + title = "12 S3 access control lists (ACLs) should not be used to manage user access to buckets" + description = "This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets." + severity = "medium" + sql = query.s3_bucket_acls_should_prohibit_user_access.sql + documentation = file("./foundational_security/docs/foundational_security_s3_12.md") + + tags = merge(local.foundational_security_s3_common_tags, { + foundational_security_item_id = "s3_12" + foundational_security_category = "access_control" + }) } \ No newline at end of file diff --git a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql new file mode 100644 index 00000000..42a59844 --- /dev/null +++ b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql @@ -0,0 +1,42 @@ +with bucket_acl_details as ( + select + arn, + title, + ARRAY[acl -> 'Owner' ->> 'ID'] as bucket_owner, + array_agg(grantee_id) as bucket_acl_permissions, + region, + account_id + from + aws_s3_bucket, + jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id + group by + arn, + title, + acl, + region, + account_id +), +bucket_acl_checks as ( + select + arn, + title, + to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions, + region, + account_id + from + bucket_acl_details +) +select + arn, + case + when jsonb_array_length(additional_permissions) = 0 then 'ok' + else 'alarm' + end status, + case + when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.' + else title || ' has ACLs for user access.' + end reason, + region, + account_id +from + bucket_acl_checks; \ No newline at end of file From 94b385d7e7e4c6a81ccaa04cb55f147d97199692 Mon Sep 17 00:00:00 2001 From: vkumbha Date: Wed, 24 Aug 2022 20:51:17 +0530 Subject: [PATCH 2/4] Adding control to the benchmark --- foundational_security/s3.sp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/foundational_security/s3.sp b/foundational_security/s3.sp index be8c1a0d..0d78ccd2 100644 --- a/foundational_security/s3.sp +++ b/foundational_security/s3.sp @@ -17,7 +17,8 @@ benchmark "foundational_security_s3" { control.foundational_security_s3_8, control.foundational_security_s3_9, control.foundational_security_s3_10, - control.foundational_security_s3_11 + control.foundational_security_s3_11, + control.foundational_security_s3_12 ] tags = merge(local.foundational_security_s3_common_tags, { From e512fe1b9ab5b72b4ea854102f6866b979cfa2af Mon Sep 17 00:00:00 2001 From: vkumbha Date: Mon, 29 Aug 2022 18:27:46 +0530 Subject: [PATCH 3/4] Format query as per standards --- query/s3/s3_bucket_acls_should_prohibit_user_access.sql | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql index 42a59844..007bb880 100644 --- a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql +++ b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql @@ -27,7 +27,8 @@ bucket_acl_checks as ( bucket_acl_details ) select - arn, + -- Required Columns + arn as resource, case when jsonb_array_length(additional_permissions) = 0 then 'ok' else 'alarm' @@ -36,7 +37,8 @@ select when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.' else title || ' has ACLs for user access.' end reason, - region, + -- Additional Dimensions + region, account_id from bucket_acl_checks; \ No newline at end of file From 1900be630b0d88bcf1cdfc9891aededddcc421bc Mon Sep 17 00:00:00 2001 From: vkumbha Date: Mon, 29 Aug 2022 18:30:59 +0530 Subject: [PATCH 4/4] Fix indentation --- query/s3/s3_bucket_acls_should_prohibit_user_access.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql index 007bb880..9cc066e0 100644 --- a/query/s3/s3_bucket_acls_should_prohibit_user_access.sql +++ b/query/s3/s3_bucket_acls_should_prohibit_user_access.sql @@ -38,7 +38,7 @@ select else title || ' has ACLs for user access.' end reason, -- Additional Dimensions - region, + region, account_id from bucket_acl_checks; \ No newline at end of file