-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3de68c1
commit b04094a
Showing
5 changed files
with
113 additions
and
0 deletions.
There are no files selected for viewing
12 changes: 12 additions & 0 deletions
12
...ts/queries/terraform/aws/s3_bucket_allows_access_to_all_authenticated_users/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| { | ||
| "id": "d4e5f6g7-h8i9-0jkl-1234-mn567opq8901", | ||
| "queryName": "S3 Bucket Allows Authenticated Users Access", | ||
| "severity": "HIGH", | ||
| "category": "IAM", | ||
| "descriptionText": "Ensures that AWS S3 Bucket ACLs do not allow access to all Authenticated Users. Granting access to all authenticated AWS users can expose data to unintended parties.", | ||
| "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl", | ||
| "platform": "Terraform", | ||
| "descriptionID": "d4e5f6g7", | ||
| "cloudProvider": "aws", | ||
| "cwe": "284" | ||
| } |
62 changes: 62 additions & 0 deletions
62
assets/queries/terraform/aws/s3_bucket_allows_access_to_all_authenticated_users/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| package Cx | ||
|
|
||
| import data.generic.common as common_lib | ||
| import data.generic.terraform as tf_lib | ||
|
|
||
| # Case where "grant" is an array (multiple grants) | ||
| CxPolicy[result] { | ||
| resource := input.document[i].resource["aws_s3_bucket_acl"][name] | ||
| acl_policy := resource.access_control_policy | ||
| is_array(acl_policy.grant) | ||
|
|
||
| grant := acl_policy.grant[grant_index] | ||
| common_lib.valid_key(grant, "grantee") | ||
| common_lib.valid_key(grant.grantee, "uri") | ||
|
|
||
| grant.grantee.uri == "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" | ||
|
|
||
| result := { | ||
| "documentId": input.document[i].id, | ||
| "resourceType": "aws_s3_bucket_acl", | ||
| "resourceName": tf_lib.get_specific_resource_name(resource, "aws_s3_bucket_acl", name), | ||
| "searchKey": sprintf("aws_s3_bucket_acl[%s].access_control_policy.grant[%d].grantee.uri", [name, grant_index]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "aws_s3_bucket_acl.access_control_policy.grant[*].grantee.uri should not be 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'", | ||
| "keyActualValue": sprintf("aws_s3_bucket_acl.access_control_policy.grant[%d].grantee.uri is '%s'", [grant_index, grant.grantee.uri]), | ||
| "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_acl", name, "access_control_policy", "grant", grant_index, "grantee", "uri"], []), | ||
| "remediation": json.marshal({ | ||
| "before": "access_control_policy { grant { grantee { uri = \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" } } }", | ||
| "after": "access_control_policy { grant { grantee { uri = \"http://acs.amazonaws.com/groups/global/OtherGroup\" } } }" | ||
| }), | ||
| "remediationType": "replacement" | ||
| } | ||
| } | ||
|
|
||
| # Case where "grant" is not an array (only one grant) | ||
| CxPolicy[result] { | ||
| resource := input.document[i].resource["aws_s3_bucket_acl"][name] | ||
| acl_policy := resource.access_control_policy | ||
| not is_array(acl_policy.grant) | ||
|
|
||
| grant := acl_policy.grant | ||
| common_lib.valid_key(grant, "grantee") | ||
| common_lib.valid_key(grant.grantee, "uri") | ||
|
|
||
| grant.grantee.uri == "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" | ||
|
|
||
| result := { | ||
| "documentId": input.document[i].id, | ||
| "resourceType": "aws_s3_bucket_acl", | ||
| "resourceName": tf_lib.get_specific_resource_name(resource, "aws_s3_bucket_acl", name), | ||
| "searchKey": sprintf("aws_s3_bucket_acl[%s].access_control_policy.grant.grantee.uri", [name]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "aws_s3_bucket_acl.access_control_policy.grant.grantee.uri should not be 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'", | ||
| "keyActualValue": sprintf("aws_s3_bucket_acl.access_control_policy.grant.grantee.uri is '%s'", [grant.grantee.uri]), | ||
| "searchLine": common_lib.build_search_line(["resource", "aws_s3_bucket_acl", name, "access_control_policy", "grant", "grantee", "uri"], []), | ||
| "remediation": json.marshal({ | ||
| "before": "access_control_policy { grant { grantee { uri = \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" } } }", | ||
| "after": "access_control_policy { grant { grantee { uri = \"http://acs.amazonaws.com/groups/global/OtherGroup\" } } }" | ||
| }), | ||
| "remediationType": "replacement" | ||
| } | ||
| } |
16 changes: 16 additions & 0 deletions
16
...queries/terraform/aws/s3_bucket_allows_access_to_all_authenticated_users/test/negative.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| resource "aws_s3_bucket_acl" "good_example" { | ||
| bucket = aws_s3_bucket.example.id | ||
|
|
||
| access_control_policy { | ||
| grant { | ||
| grantee { | ||
| type = "CanonicalUser" | ||
| id = "1234567890abcdef1234567890abcdef12345678" # ✅ Restricted access | ||
| } | ||
| permission = "READ" | ||
| } | ||
| owner { | ||
| id = aws_s3_bucket.example.owner_id | ||
| } | ||
| } | ||
| } |
16 changes: 16 additions & 0 deletions
16
...queries/terraform/aws/s3_bucket_allows_access_to_all_authenticated_users/test/positive.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| resource "aws_s3_bucket_acl" "bad_example" { | ||
| bucket = aws_s3_bucket.example.id | ||
|
|
||
| access_control_policy { | ||
| grant { | ||
| grantee { | ||
| type = "Group" | ||
| uri = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" # ❌ Allows access to all authenticated users | ||
| } | ||
| permission = "READ" | ||
| } | ||
| owner { | ||
| id = aws_s3_bucket.example.owner_id | ||
| } | ||
| } | ||
| } |
7 changes: 7 additions & 0 deletions
7
...aws/s3_bucket_allows_access_to_all_authenticated_users/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| [ | ||
| { | ||
| "queryName": "S3 Bucket Allows Authenticated Users Access", | ||
| "severity": "HIGH", | ||
| "line": 8 | ||
| } | ||
| ] |