add example terraform rules for S3 bucket policies

stelligent · Mar 19, 2018 · 4dda162 · 4dda162
1 parent 12203b9
commit 4dda162
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 4 deletions.
diff --git a/example-files/config/README.md b/example-files/config/README.md
@@ -12,6 +12,11 @@ Done:
 * IamPolicyWildcardActionRule
 * IamPolicyWildcardResourceRule
 
+* S3BucketPolicyNotActionRule
+* S3BucketPolicyNotPrincipalRule
+* S3BucketPolicyWildcardActionRule
+* S3BucketPolicyWildcardPrincipalRule
+
 TODO
 * CloudFront resource !Metadata['AWS::CloudFront::Authentication'].nil?  How to specify in Terraform?
 
@@ -34,10 +39,6 @@ TODO
 * ManagedPolicyOnUserRule
 * PolicyOnUserRule
 
-* S3BucketPolicyNotActionRule
-* S3BucketPolicyNotPrincipalRule
-* S3BucketPolicyWildcardActionRule
-* S3BucketPolicyWildcardPrincipalRule
 * S3BucketPublicReadAclRule
 * S3BucketPublicReadWriteAclRule
 

diff --git a/example-files/config/s3.tf b/example-files/config/s3.tf
@@ -0,0 +1,73 @@
+resource "aws_s3_bucket" "b1" {
+  bucket = "my_tf_test_bucket_1"
+}
+
+resource "aws_s3_bucket_policy" "b1" {
+  bucket = "${aws_s3_bucket.b.id}"
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "b2" {
+  bucket = "my_tf_test_bucket_2"
+}
+
+resource "aws_s3_bucket_policy" "bucket_with_not" {
+  bucket = "${aws_s3_bucket.b.id}"
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "NotPrincipal": "*",
+      "NotAction": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_policy" "bucket_with_wildcards" {
+  bucket = "${aws_s3_bucket.b.id}"
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
diff --git a/example-files/rules/terraform.yml b/example-files/rules/terraform.yml
@@ -218,3 +218,39 @@ Rules:
       - type: value
         key: access_logs
         op: present
+  - id: S3_NOT_ACTION
+    message: S3 Bucket Policy should not use NotAction
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - type: value
+        key: policy.Statement[].NotAction
+        op: absent
+  - id: S3_NOT_PRINCIPAL
+    message: S3 Bucket Policy should not use NotPrincipal
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - type: value
+        key: policy.Statement[].NotPrincipal
+        op: absent
+  - id: S3_BUCKET_POLICY_WILDCARD_PRINCIPAL
+    message: Should not allow not wildcard principal in S3 bucket policy
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - not:
+        - type: value
+          key: policy.Statement[].Principal
+          op: contains
+          value: "*"
+  - id: S3_BUCKET_POLICY_WILDCARD_ACTION
+    message: Should not allow not wildcard principal in S3 bucket policy
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - not:
+        - type: value
+          key: policy.Statement[].Action
+          op: contains
+          value: "*"