Missing S3 bucket owner condition Low

Not setting the S3 bucket owner condition might introduce a risk of accidentally using a wrong bucket. For example, a configuration error could lead to accidentally writing production data into test accounts.

Detector ID
python/s3-verify-bucket-owner@v1.0
Category

Noncompliant example

1def verify_s3bucket_owner_noncompliant(event):
2    import boto3
3    client = boto3.client('s3')
4    # Noncompliant: missing S3 bucket owner condition
5    # (ExpectedSourceBucketOwner).
6    client.copy_object(
7        Bucket=event["bucket"],
8        CopySource=f"{event['bucket']}/{event['key']}",
9        Key=event["key"],
10        ExpectedBucketOwner=event["owner"],
11    )

Compliant example

1def verify_s3bucket_owner_compliant(event):
2    import boto3
3    client = boto3.client('s3')
4    # Compliant: sets the S3 bucket owner condition(ExpectedSourceBucketOwner).
5    client.copy_object(
6        Bucket=event["bucket"],
7        CopySource=f"{event['bucket']}/{event['key']}",
8        Key=event["key"],
9        ExpectedBucketOwner=event["owner"],
10        ExpectedSourceBucketOwner=event["owner2"]
11    )