Not setting the S3 bucket owner condition might introduce a risk of accidentally using a wrong bucket. For example, a configuration error could lead to accidentally writing production data into test accounts.
1def verify_s3bucket_owner_noncompliant(event):
2 import boto3
3 client = boto3.client('s3')
4 # Noncompliant: missing S3 bucket owner condition
5 # (ExpectedSourceBucketOwner).
6 client.copy_object(
7 Bucket=event["bucket"],
8 CopySource=f"{event['bucket']}/{event['key']}",
9 Key=event["key"],
10 ExpectedBucketOwner=event["owner"],
11 )
1def verify_s3bucket_owner_compliant(event):
2 import boto3
3 client = boto3.client('s3')
4 # Compliant: sets the S3 bucket owner condition(ExpectedSourceBucketOwner).
5 client.copy_object(
6 Bucket=event["bucket"],
7 CopySource=f"{event['bucket']}/{event['key']}",
8 Key=event["key"],
9 ExpectedBucketOwner=event["owner"],
10 ExpectedSourceBucketOwner=event["owner2"]
11 )