terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket
Community Favorite
semgrep
Author
61,526
Download Count*
License
S3 bucket with public read-write access detected.
Run Locally
Run in CI
Defintion
rules:
- id: s3-public-rw-bucket
pattern: acl = "public-read-write"
languages:
- hcl
severity: ERROR
message: S3 bucket with public read-write access detected.
metadata:
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl
- https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
category: security
technology:
- terraform
- aws
owasp:
- A01:2021 - Broken Access Control
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
Examples
s3-public-rw-bucket.tf
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
# ruleid: s3-public-rw-bucket
acl = "public-read-write"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
Short Link: https://sg.run/0nok