json.aws.security.public-s3-bucket.public-s3-bucket

profile photo of semgrepsemgrep
Author
25
Download Count*
LGPL Commons Clause
License

Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: public-s3-bucket
    languages:
      - json
    message: Detected public S3 bucket. This policy allows anyone to have some kind
      of access to the bucket. The exact level of access and types of actions
      allowed will depend on the configuration of bucket policy and ACLs. Please
      review the bucket configuration to make sure they are set with intended
      values.
    metadata:
      category: security
      cwe:
        - "CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
      technology:
        - aws
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      confidence: MEDIUM
      vulnerability_class:
        - Improper Authorization
    patterns:
      - pattern-inside: |
          $BUCKETNAME: {
            "Type": "AWS::S3::Bucket",
            "Properties": {
            ...,
            },
            ...,
          }
      - pattern-either:
          - pattern: |
              "PublicAccessBlockConfiguration": {
                   ...,
                   "RestrictPublicBuckets": false,
                   ...,
                 },
          - pattern: |
              "PublicAccessBlockConfiguration": {
                   ...,
                   "IgnorePublicAcls": false,
                   ...,
                 },
          - pattern: |
              "PublicAccessBlockConfiguration": {
                   ...,
                   "BlockPublicAcls": false,
                   ...,
                 },
          - pattern: |
              "PublicAccessBlockConfiguration": {
                   ...,
                   "BlockPublicPolicy": false,
                   ...,
                 },
    severity: WARNING

Examples

public-s3-bucket.json


  {

    "Resources": {
      "MyBucketF68F3FF0": {
        "Type": "AWS::S3::Bucket",
        "Properties": {
          "BucketEncryption": {
            "ServerSideEncryptionConfiguration": [
              {
                "ServerSideEncryptionByDefault": {
                  "SSEAlgorithm": "aws:kms"
                }
              }
            ]
          },
          // ruleid: public-s3-bucket
          "PublicAccessBlockConfiguration": {
            "BlockPublicAcls": true,
            "BlockPublicPolicy": true,
            "IgnorePublicAcls": false,
            "RestrictPublicBuckets": true
          }
        },
        "UpdateReplacePolicy": "Delete",
        "DeletionPolicy": "Delete"
      },
      "MyBucketF68F3FF1": {
        "Type": "AWS::S3::Bucket",
        "Properties": {
          "BucketEncryption": {
            "ServerSideEncryptionConfiguration": [
              {
                "ServerSideEncryptionByDefault": {
                  "SSEAlgorithm": "aws:kms"
                }
              }
            ]
          },
          // ok : public-s3-bucket
          "PublicAccessBlockConfiguration": {
            "BlockPublicAcls": true,
            "BlockPublicPolicy": true,
            "IgnorePublicAcls": true,
            "RestrictPublicBuckets": true
          }
        },
        "UpdateReplacePolicy": "Delete",
        "DeletionPolicy": "Delete"
      }
    }
  }