json.aws.security.public-s3-policy-statement.public-s3-policy-statement
Community Favorite
semgrep
Author
46,010
Download Count*
License
Detected public S3 bucket policy. This policy allows anyone to access certain properties of or items in the bucket. Do not do this unless you will never have sensitive data inside the bucket.
Run Locally
Run in CI
Defintion
rules:
- id: public-s3-policy-statement
pattern: |
{
"Effect": "Allow",
"Principal": "*",
"Resource": [
..., "=~/arn:aws:s3.*/", ...
],
...
}
message: Detected public S3 bucket policy. This policy allows anyone to access
certain properties of or items in the bucket. Do not do this unless you
will never have sensitive data inside the bucket.
metadata:
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls"
references:
- https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html
category: security
technology:
- aws
subcategory:
- vuln
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
severity: WARNING
languages:
- json
Examples
public-s3-policy-statement.json
{
"Version": "2012-10-17",
"Statement": [
// ruleid:public-s3-policy-statement
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example.com/*"
]
},
// ok:public-s3-policy-statement
{
"Sid": "CloudFront Origin Access Identity",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ECLOUDFRONTOAI"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example.com/*"
]
}
]
}
Short Link: https://sg.run/Yv1d