From 4dda16200690f7823c69e07d44d33590ca2f62da Mon Sep 17 00:00:00 2001
From: lhitchon <larryhitchon@gmail.com>
Date: Sun, 18 Mar 2018 17:39:55 -0700
Subject: [PATCH] add example terraform rules for S3 bucket policies

---
 example-files/config/README.md    |  9 ++--
 example-files/config/s3.tf        | 73 +++++++++++++++++++++++++++++++
 example-files/rules/terraform.yml | 36 +++++++++++++++
 3 files changed, 114 insertions(+), 4 deletions(-)
 create mode 100644 example-files/config/s3.tf

diff --git a/example-files/config/README.md b/example-files/config/README.md
index 179f148..db3df25 100644
--- a/example-files/config/README.md
+++ b/example-files/config/README.md
@@ -12,6 +12,11 @@ Done:
 * IamPolicyWildcardActionRule
 * IamPolicyWildcardResourceRule
 
+* S3BucketPolicyNotActionRule
+* S3BucketPolicyNotPrincipalRule
+* S3BucketPolicyWildcardActionRule
+* S3BucketPolicyWildcardPrincipalRule
+
 TODO
 * CloudFront resource !Metadata['AWS::CloudFront::Authentication'].nil?  How to specify in Terraform?
 
@@ -34,10 +39,6 @@ TODO
 * ManagedPolicyOnUserRule
 * PolicyOnUserRule
 
-* S3BucketPolicyNotActionRule
-* S3BucketPolicyNotPrincipalRule
-* S3BucketPolicyWildcardActionRule
-* S3BucketPolicyWildcardPrincipalRule
 * S3BucketPublicReadAclRule
 * S3BucketPublicReadWriteAclRule
 
diff --git a/example-files/config/s3.tf b/example-files/config/s3.tf
new file mode 100644
index 0000000..62791b7
--- /dev/null
+++ b/example-files/config/s3.tf
@@ -0,0 +1,73 @@
+resource "aws_s3_bucket" "b1" {
+  bucket = "my_tf_test_bucket_1"
+}
+
+resource "aws_s3_bucket_policy" "b1" {
+  bucket = "${aws_s3_bucket.b.id}"
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "b2" {
+  bucket = "my_tf_test_bucket_2"
+}
+
+resource "aws_s3_bucket_policy" "bucket_with_not" {
+  bucket = "${aws_s3_bucket.b.id}"
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "NotPrincipal": "*",
+      "NotAction": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_policy" "bucket_with_wildcards" {
+  bucket = "${aws_s3_bucket.b.id}"
+  policy =<<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
diff --git a/example-files/rules/terraform.yml b/example-files/rules/terraform.yml
index 02c2237..c7f870f 100644
--- a/example-files/rules/terraform.yml
+++ b/example-files/rules/terraform.yml
@@ -218,3 +218,39 @@ Rules:
       - type: value
         key: access_logs
         op: present
+  - id: S3_NOT_ACTION
+    message: S3 Bucket Policy should not use NotAction
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - type: value
+        key: policy.Statement[].NotAction
+        op: absent
+  - id: S3_NOT_PRINCIPAL
+    message: S3 Bucket Policy should not use NotPrincipal
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - type: value
+        key: policy.Statement[].NotPrincipal
+        op: absent
+  - id: S3_BUCKET_POLICY_WILDCARD_PRINCIPAL
+    message: Should not allow not wildcard principal in S3 bucket policy
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - not:
+        - type: value
+          key: policy.Statement[].Principal
+          op: contains
+          value: "*"
+  - id: S3_BUCKET_POLICY_WILDCARD_ACTION
+    message: Should not allow not wildcard principal in S3 bucket policy
+    resource: aws_s3_bucket_policy
+    severity: WARNING
+    assertions:
+      - not:
+        - type: value
+          key: policy.Statement[].Action
+          op: contains
+          value: "*"