AWS S3 public WRITE permission High

AWS S3 bucket allows public WRITE permission. Make sure AWS S3 bucket prohibits WRITE permission to everyone.

Detector ID
terraform/public-write-s3-bucket-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_s3_bucket" "public-bucket" {
2  provider = aws.west
3  bucket = aws_s3_bucket.bucket_bad_1.id
4  # Noncompliant: ACL defined which allows public WRITE access.
5  acl = "public-read-write"
6  versioning {
7    enabled = true
8  }
9  replication_configuration {
10    role = aws_iam_role.replication.arn
11    rules {
12      id     = "foobar"
13      prefix = "foo"
14      status = "Enabled"
15
16      destination {
17        bucket        = aws_s3_bucket.destination.arn
18        storage_class = "STANDARD"
19      }
20    }
21  }
22  server_side_encryption_configuration {
23    rule {
24      apply_server_side_encryption_by_default {
25        kms_master_key_id = aws_kms_key.mykey.arn
26        sse_algorithm     = var.bla
27      }
28    }
29  }
30  lifecycle_rule {
31    id = "Delete old incomplete multi-part uploads"
32    enabled = true
33    abort_incomplete_multipart_upload_days = 7
34  }
35  logging {
36    target_bucket = aws_s3_bucket.log_bucket.id
37    target_prefix = "log/"
38  }
39}
40resource "aws_s3_bucket_notification" "bucket_notification" {
41  bucket = aws_s3_bucket.public-bucket.id
42
43  topic {
44    topic_arn     = aws_sns_topic.topic.arn
45    events        = ["s3:ObjectCreated:*"]
46    filter_suffix = ".log"
47  }
48}
49resource "aws_s3_bucket_public_access_block" "access_good_1" {
50  bucket = aws_s3_bucket.public-bucket.id
51
52  block_public_acls   = true
53  block_public_policy = true
54  ignore_public_acls = true
55  restrict_public_buckets = true
56}

Compliant example

1resource "aws_s3_bucket" "private-bucket" {
2  provider = aws.west
3  bucket = aws_s3_bucket.bucket_bad_1.id
4  # Noncompliant: ACL defined which does not allow public WRITE access.
5  acl = "private"
6  versioning {
7    enabled = true
8  }
9  replication_configuration {
10    role = aws_iam_role.replication.arn
11    rules {
12      id     = "foobar"
13      prefix = "foo"
14      status = "Enabled"
15
16      destination {
17        bucket        = aws_s3_bucket.destination.arn
18        storage_class = "STANDARD"
19      }
20    }
21  }
22  server_side_encryption_configuration {
23    rule {
24      apply_server_side_encryption_by_default {
25        kms_master_key_id = aws_kms_key.mykey.arn
26        sse_algorithm     = var.bla
27      }
28    }
29  }
30  lifecycle_rule {
31    id = "Delete old incomplete multi-part uploads"
32    enabled = true
33    abort_incomplete_multipart_upload_days = 7
34  }
35  logging {
36    target_bucket = aws_s3_bucket.log_bucket.id
37    target_prefix = "log/"
38  }
39}
40resource "aws_s3_bucket_notification" "bucket_notification" {
41  bucket = aws_s3_bucket.private-bucket.id
42
43  topic {
44    topic_arn     = aws_sns_topic.topic.arn
45    events        = ["s3:ObjectCreated:*"]
46    filter_suffix = ".log"
47  }
48}
49resource "aws_s3_bucket_public_access_block" "access_good_1" {
50  bucket = aws_s3_bucket.private-bucket.id
51
52  block_public_acls   = true
53  block_public_policy = true
54  ignore_public_acls = true
55  restrict_public_buckets = true
56}