AWS S3 bucket allows public WRITE permission. Make sure AWS S3 bucket prohibits WRITE permission to everyone.
1resource "aws_s3_bucket" "public-bucket" {
2 provider = aws.west
3 bucket = aws_s3_bucket.bucket_bad_1.id
4 # Noncompliant: ACL defined which allows public WRITE access.
5 acl = "public-read-write"
6 versioning {
7 enabled = true
8 }
9 replication_configuration {
10 role = aws_iam_role.replication.arn
11 rules {
12 id = "foobar"
13 prefix = "foo"
14 status = "Enabled"
15
16 destination {
17 bucket = aws_s3_bucket.destination.arn
18 storage_class = "STANDARD"
19 }
20 }
21 }
22 server_side_encryption_configuration {
23 rule {
24 apply_server_side_encryption_by_default {
25 kms_master_key_id = aws_kms_key.mykey.arn
26 sse_algorithm = var.bla
27 }
28 }
29 }
30 lifecycle_rule {
31 id = "Delete old incomplete multi-part uploads"
32 enabled = true
33 abort_incomplete_multipart_upload_days = 7
34 }
35 logging {
36 target_bucket = aws_s3_bucket.log_bucket.id
37 target_prefix = "log/"
38 }
39}
40resource "aws_s3_bucket_notification" "bucket_notification" {
41 bucket = aws_s3_bucket.public-bucket.id
42
43 topic {
44 topic_arn = aws_sns_topic.topic.arn
45 events = ["s3:ObjectCreated:*"]
46 filter_suffix = ".log"
47 }
48}
49resource "aws_s3_bucket_public_access_block" "access_good_1" {
50 bucket = aws_s3_bucket.public-bucket.id
51
52 block_public_acls = true
53 block_public_policy = true
54 ignore_public_acls = true
55 restrict_public_buckets = true
56}
1resource "aws_s3_bucket" "private-bucket" {
2 provider = aws.west
3 bucket = aws_s3_bucket.bucket_bad_1.id
4 # Noncompliant: ACL defined which does not allow public WRITE access.
5 acl = "private"
6 versioning {
7 enabled = true
8 }
9 replication_configuration {
10 role = aws_iam_role.replication.arn
11 rules {
12 id = "foobar"
13 prefix = "foo"
14 status = "Enabled"
15
16 destination {
17 bucket = aws_s3_bucket.destination.arn
18 storage_class = "STANDARD"
19 }
20 }
21 }
22 server_side_encryption_configuration {
23 rule {
24 apply_server_side_encryption_by_default {
25 kms_master_key_id = aws_kms_key.mykey.arn
26 sse_algorithm = var.bla
27 }
28 }
29 }
30 lifecycle_rule {
31 id = "Delete old incomplete multi-part uploads"
32 enabled = true
33 abort_incomplete_multipart_upload_days = 7
34 }
35 logging {
36 target_bucket = aws_s3_bucket.log_bucket.id
37 target_prefix = "log/"
38 }
39}
40resource "aws_s3_bucket_notification" "bucket_notification" {
41 bucket = aws_s3_bucket.private-bucket.id
42
43 topic {
44 topic_arn = aws_sns_topic.topic.arn
45 events = ["s3:ObjectCreated:*"]
46 filter_suffix = ".log"
47 }
48}
49resource "aws_s3_bucket_public_access_block" "access_good_1" {
50 bucket = aws_s3_bucket.private-bucket.id
51
52 block_public_acls = true
53 block_public_policy = true
54 ignore_public_acls = true
55 restrict_public_buckets = true
56}