terraform.lang.security.s3-public-read-bucket.s3-public-read-bucket

profile photo of semgrepsemgrep
Author
2,055
Download Count*

S3 bucket with public read access detected.

Run Locally

Run in CI

Defintion

rules:
  - id: s3-public-read-bucket
    patterns:
      - pattern-either:
          - pattern: acl = "public-read"
          - pattern: acl = "authenticated-read"
      - pattern-not-inside: |
          resource "aws_s3_bucket" "..." {
            ...
            website { ... }
            ...
          }
    languages:
      - hcl
    severity: WARNING
    message: S3 bucket with public read access detected.
    metadata:
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl
        - https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A01:2021 - Broken Access Control
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information

Examples

s3-public-read-bucket.tf

resource "aws_s3_bucket" "a" {
  bucket = "my-tf-test-bucket"
  # ruleid: s3-public-read-bucket
  acl    = "public-read"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket-b"
  # ruleid: s3-public-read-bucket
  acl    = "authenticated-read"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_s3_bucket" "c" {
  bucket = "s3-website-test.hashicorp.com"
  # ok: s3-public-read-bucket
  acl    = "public-read"
  policy = file("policy.json")

  website {
    index_document = "index.html"
    error_document = "error.html"

    routing_rules = <<EOF
[{
    "Condition": {
        "KeyPrefixEquals": "docs/"
    },
    "Redirect": {
        "ReplaceKeyPrefixWith": "documents/"
    }
}]
EOF
  }
}