Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add [S3.12] S3 access control lists (ACLs) should not be used to manage user access to buckets. Closes #363 #489

Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions foundational_security/docs/foundational_security_s3_12.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
## Description

This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets.

ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using IAM policies or S3 bucket policies to more easily manage access to your S3 buckets.

## Remediation

For more information on managing access to S3 buckets, see [Bucket policies and user policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html) in the Amazon S3 User Guide. For details on how to review your current ACL permissions, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the Amazon S3 User Guide.
16 changes: 15 additions & 1 deletion foundational_security/s3.sp
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ benchmark "foundational_security_s3" {
control.foundational_security_s3_8,
control.foundational_security_s3_9,
control.foundational_security_s3_10,
control.foundational_security_s3_11
control.foundational_security_s3_11,
control.foundational_security_s3_12
]

tags = merge(local.foundational_security_s3_common_tags, {
Expand Down Expand Up @@ -153,4 +154,17 @@ control "foundational_security_s3_11" {
foundational_security_item_id = "s3_11"
foundational_security_category = "logging"
})
}

control "foundational_security_s3_12" {
vkumbha marked this conversation as resolved.
Show resolved Hide resolved
title = "12 S3 access control lists (ACLs) should not be used to manage user access to buckets"
description = "This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets."
severity = "medium"
sql = query.s3_bucket_acls_should_prohibit_user_access.sql
documentation = file("./foundational_security/docs/foundational_security_s3_12.md")

tags = merge(local.foundational_security_s3_common_tags, {
foundational_security_item_id = "s3_12"
foundational_security_category = "access_control"
})
}
42 changes: 42 additions & 0 deletions query/s3/s3_bucket_acls_should_prohibit_user_access.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
with bucket_acl_details as (
select
arn,
title,
ARRAY[acl -> 'Owner' ->> 'ID'] as bucket_owner,
array_agg(grantee_id) as bucket_acl_permissions,
region,
account_id
from
aws_s3_bucket,
jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id
group by
arn,
title,
acl,
region,
account_id
),
bucket_acl_checks as (
select
arn,
title,
to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions,
region,
account_id
from
bucket_acl_details
)
select
arn,
vkumbha marked this conversation as resolved.
Show resolved Hide resolved
case
when jsonb_array_length(additional_permissions) = 0 then 'ok'
else 'alarm'
end status,
case
when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.'
else title || ' has ACLs for user access.'
end reason,
region,
misraved marked this conversation as resolved.
Show resolved Hide resolved
account_id
from
bucket_acl_checks;