terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket

Community Favorite
profile photo of semgrepsemgrep
Author
61,526
Download Count*
LGPL Commons Clause
License

S3 bucket with public read-write access detected.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: s3-public-rw-bucket
    pattern: acl = "public-read-write"
    languages:
      - hcl
    severity: ERROR
    message: S3 bucket with public read-write access detected.
    metadata:
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl
        - https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A01:2021 - Broken Access Control
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information

Examples

s3-public-rw-bucket.tf

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # ruleid: s3-public-rw-bucket
  acl    = "public-read-write"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}